Control

The Road Map Understanding the
This handbook provides machine designers, quality assurance managers, sales directors
and others with a road map for understanding the Machinery Directive and CE marking Machinery Directive
process. Its contents include:
• An easy-to-follow introduction to the Machinery Directive and key European Norms
(standards)
• The basic CE marking steps
• Direction to further resources A Road Map to CE Marking and Safety-Related
• Important guidance on risk estimation and assessment Control Product Applications
• A review of safety and safety-related components for control systems
• Answers to frequently asked questions
• Excerpts from selected directives and standards
Most importantly, Understanding the Machinery Directive provides some straight
talk about what the language of the directives and standards really requires.
Publication SHB-900 — September 1997 © 1997 Allen-Bradley Company, Inc. Printed in USA
Understanding the
Machinery Directive
A Road Map to CE Marking and Safety-Related
Control Product Applications
Onemli duyuru
This publication contains summary information regarding European Union (EU) directives relevant to
industrial control and automation products of the type manufactured by Rockwell Automation/Allen-Bradley.
This information is solely based on Rockwell Automation’s interpretation of those directives and should not
be considered a definitive analysis of all relevant EU directives or their impact on any one company’s goods
or services. Because of the vast variety of product uses, those responsible for the application and use of those
products within the EU should conduct their own independent evaluation to assure that each application and use
meets the requirements of all relevant directives, as well as other local and regional codes, laws and regulations.
Credits
Rockwell Automation would like to extend special appreciation to the following individuals for sharing
their knowledge of European safety legislation:
John Bloodgood Timothy Panchot
President Sales representative
JFB Enterprises Intertek Testing Services
Fond du Lac, Wisconsin Lake Elmo, Minnesota
Numerous individuals from Rockwell Automation/Allen-Bradley also deserve credit for their contributions
to this handbook:
Kyle Ahlfinger
Paul Brown
Scott Coleman
Jeff Dickman
Kimber Lynn Drake
Larry Fischer
Dave Fisher
Frank Graninger
Rick Green
Dave Hagemeier
John Haydu
Joe Kann
Mike Kent
John Lewis
Jerry McCarthy
Sheri Rasmussen
Greg Reynolds
Jerry Rondorf
Marv Schilt
Chuck Schroeder, The Brady Company
Barbara Steinberger
Dick Steinmetz
Irene Timm
Heinz Unterweger
Tami Witt
Steve Zimmermann
Thank you, everyone, and best regards to safety-conscious managers everywhere.
James J. Jerschefske
Project Manager
Rockwell Automation/Allen-Bradley
TABLE OF CONTENTS
Chapter 1 — Introduction
1.0 New laws impact equipment

manufacturers and end-users . . . . . . . . . . . . . . . . . . . . . 2
1.1 A global road map . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Does the Machinery Directive apply to me? . . . . . . . . . 3
1.3 Good intentions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 2 — Acronyms? Numbers? Help!
2.0 The European market . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.1 So what directives should I examine? . . . . . . . . . . . . . . 8
2.2 Standards to clarify directives . . . . . . . . . . . . . . . . . . . 10
2.3 Sources for standards . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 CE marking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.5 Interpretations may vary . . . . . . . . . . . . . . . . . . . . . . . 14
2.6 Applying components properly . . . . . . . . . . . . . . . . . . 14
Chapter 3 — The Road Map
3.0 Starting out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.1 EN 292 — Basic concepts of machine safety . . . . . . . 19
3.2 The Directives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.3 EMC Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.4 The Low Voltage Directive . . . . . . . . . . . . . . . . . . . . . 25
3.5 The Product Liability Directive . . . . . . . . . . . . . . . . . . 26
3.6 Examining Type A, B and C Standards . . . . . . . . . . . . 27
Chapter 3 — The Road Map (continued)
3.7 Annex I — Essential Health and Safety Requirements 29

3.8 Risk assessment — EN 1050. . . . . . . . . . . . . . . . . . . . 30
3.9 Risk estimation — EN 1050 and EN 954 . . . . . . . . . . 31
3.10 Performance categories — EN 954 . . . . . . . . . . . . . . . 33
3.11 Risk, performance and selection . . . . . . . . . . . . . . . . . 39
3.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 4 — Post Design and Construction Requirements
4.0 So you’ve complied with

requirements — now what? . . . . . . . . . . . . . . . . . . . . . 46
4.1 Information for use . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.2 Advice for drafting information for use . . . . . . . . . . . . 47
4.3 The Technical File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.4 Declaration of Conformity . . . . . . . . . . . . . . . . . . . . . 51
4.5 Can you self-certify? . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.6 CE Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 5 — Safety Category Requirements
5.0 Why include safety and safety-related components? . . 58

5.1 Well-tried components and design principles . . . . . . . . 59
5.2 Direct opening action contacts. . . . . . . . . . . . . . . . . . . 59
5.3 Positively driven contacts . . . . . . . . . . . . . . . . . . . . . . 62
5.4 Anti-tease features. . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
TABLE OF CONTENTS
Chapter 5 — Safety Category Requirements (continued)
5.5 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.6 Normally energized circuits. . . . . . . . . . . . . . . . . . . . . 64
5.7 Control circuits and performance categories . . . . . . . . 66
5.8 Category B and Category 1 . . . . . . . . . . . . . . . . . . . . . 66
5.9 Category 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.10 Category 3 and category 4. . . . . . . . . . . . . . . . . . . . . . 70
Chapter 6 — Safety Concerns for Power-Related Products
6.0 Operational functions . . . . . . . . . . . . . . . . . . . . . . . . . 76

6.1 Contact reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.2 Multiple fault detection . . . . . . . . . . . . . . . . . . . . . . . . 77
6.3 Motor protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.4 Safe separation of circuits to avoid electric shock . . . . 79
6.5 Protection against electric shock . . . . . . . . . . . . . . . . . 81
6.6 Protection against indirect contact . . . . . . . . . . . . . . . . 81
Chapter 7 — Frequently Asked Questions (FAQs)
- Big Picture FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

- Component FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
- Rockwell Automation/Allen-Bradley FAQs . . . . . . . . 93
Glossary of Terms
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Appendices
Appendix A — Select Type B standards. . . . . . . . . . . . . . . 104

Appendix B — Electrical equipment of machines . . . . . . . 107
Appendix C — EHSR (Annex I of the
Machinery Directive). . . . . . . . . . . . . . . . . 128
Appendix D — Some significant faults and failures. . . . . . 135
Appendix E — Standards and characteristics
of safety functions . . . . . . . . . . . . . . . . . . . 137
Appendix F — Sample DOCs . . . . . . . . . . . . . . . . . . . . . . 139
Appendix G — Annex IV equipment . . . . . . . . . . . . . . . . . 143
Appendix H — IEC Style Diagrams from Chapter 5 . . . . . 145
1
CHAPTER
Introduction
New laws impact equipment
manufacturers and end-users . . . . . . . . . . . . . . . . . . . . . . 1.0
A global road map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1
Does the Machinery Directive apply to me? . . . . . . . . . . 1.2
Good intentions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3
1 1.0
New laws impact equipment manufacturers and end-users

As a prerequisite to participating in the global marketplace, all machinery manufacturers
and end-users should consider machinery safety and control reliability when designing their
equipment. One significant force behind this international safety effort is the 1995 European
law requiring all machinery built for use in the European Union (EU) and European Economic
Area (EEA) to comply with the Machinery Directive on safety. The law mandates that machine
builders indicate compliance by placing CE marking on their machinery. CE stands for
Communaté Européene, which is French for European Community.
2
Though European in origin, these safety-related directives impact original equipment
manufacturers (OEMs), end-users and multi-national corporations everywhere. With components
sourced from around the world, the final destination and use of a product often remains unknown
to its manufacturer. Further, companies producing machinery for Europe often turn to their
suppliers for information and support as part of their effort to comply with the directives.
1
1.1
A global road map

The purpose of this book is to provide designers, quality assurance managers, sales
directors and others with a road map for understanding the key elements of the CE marking
process. It introduces the reader to key European requirements in an easy-to-understand
format; it walks OEMs through the basic CE marking steps; it helps establish realistic
expectations; and it directs readers to further resources. Where appropriate, much of the
language used stays close to the original wording of the directives and standards. The second
3
portion of this book provides safety component application examples.
The authors reiterate that this book serves as a road map for making a comprehensive
process more manageable. It is not intended to be a substitute for thoroughly reading all
appropriate directives and standards.
1.2
Does the Machinery Directive apply to me?

The definition of machinery is “An assembly of linked parts or components, at least one of
which moves, with the appropriate actuators, control, and power circuits, etc., joined together for a
specific application, in particular for the processing, treatment, moving or packaging of a material”
(See Figure 1.0).
This definition also covers an assembly of machines functioning as a whole, as well as
interchangeable equipment modifying the function of a machine. Any manufacturer whose
“machine” fits the above description would be well-advised to continue reading.
1 SIGNALLING, MANUAL CONTROLS
OPERATOR-
MACHINE
INTERFACE
DISPLAY, (ACTUATORS),
CONTROL DEVICES
WARNING
DATA STORAGE
CONTROL
SYSTEM AND LOGIC OR ANALOG
DATA PROCESSING
OPERATOR-
MACHINE SENSORS,
INTERFACE SAFETY DEVICES POWER CONTROL
ELEMENTS
4 (contactors, valves,
speed controllers, etc.)
MACHINE ACTUATORS
(engines, cylinders)
OPERATIVE
PART
POWER TRANSMISSION ELEMENTS,

WORKING PARTS
GUARDS
OPERATOR-
MACHINE
INTERFACE
Fig. 1.0 General schematic representation of a machine (from EN 292-1, Annex A).
According to the Machinery Directive, only companies building a “machine” for the EU
market need to apply CE marking. Many individual components and sub assemblies — such as
those having no independent source of energy or those that are not safety components — may
not need marking at all, or they may be CE marked according to other directives.
1
1.3
Good intentions
The overall charge of the Machinery Directive explains that “...Member states are
responsible for ensuring the health and safety...of workers, notably in relation to the risks
arising out of the use of machinery. The social cost of the large number of accidents caused
directly by the use of machinery can be reduced by inherently safe design and construction
of machinery and by proper installations and maintenance.”
Further, the directive mandates a common sense approach for addressing safety (e.g., “Each
machine must be fitted with one or more emergency stop devices to enable actual or impending
5
danger to be averted”). Also helpful are the standards supporting the directive, which provide a
process for identifying hazards, assessing risk and implementing measures to improve reliability,
reduce the possibility of failure or increase the probability of detecting a failure.
Ultimately, the directives reduce bureaucracy and help OEMs make their products as safe
as possible while being realistic about design and usage demands. In the event of an accident,
the directives also may offer proof of due diligence.
The designer encountering European safety laws for the first time may feel overwhelmed
by all the new safety-related numbers and acronyms.
2
CHAPTER
Acronyms? Numbers? Help!
The European market . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.0
So what directives should I examine? . . . . . . . . . . . . . . . 2.1
Standards to clarify directives . . . . . . . . . . . . . . . . . . . . . 2.2
Sources for standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3
CE Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4
Interpretations may vary . . . . . . . . . . . . . . . . . . . . . . . . . 2.5
Applying components properly . . . . . . . . . . . . . . . . . . . . 2.6
2 2.0
The European market

The countries of the European Union are (as of January 1, 1997):
Austria Germany Netherlands
Belgium Greece Portugal
Denmark Ireland Spain
Finland Italy Sweden
France Luxembourg United Kingdom
The EU countries — plus Iceland, Liechtenstein and Norway — form the European Economic
Area (EEA). The rules for the free movement of goods that apply to the EU also apply for the
EEA. Other countries, such as Switzerland, may adopt some or all of the directives; in this case,
the same rules apply. OEMs should check with the specific country for the applicable directives.
2.1
So what directives should I examine?

The directives are legal documents (laws) issued on the authority of the Council of the EU and
8
adopted by the governments of all member countries. They create a uniform level of requirements
and regulations for all EEA members and supersede the previous national rules and standards
(which varied greatly). The member states are obliged to transfer the directives into national law.
This facilitates the free movement of goods across international borders, eliminating trade barriers.
The Machinery Directive (official reference number 89/392/EEC) with amendments is the
most comprehensive directive for machinery using control products. It states that all machinery
marketed in the EU/EEA must meet certain safety requirements.
These wide-reaching requirements cover every aspect of the machine: mechanical design,
electrical design, controls, safety, and the potential for the machinery to create hazardous
situations. Note that while the directive discusses controls and safety components, it does
so in the context of designing a safe machine.
The Machinery Directive also identifies certain machines, apparatus and applications
that do not fall within its scope. For this equipment, other directives may apply, such as the
Electromagnetic Compatibility (EMC) Directive (89/336/EEC) and the Low Voltage Directive
(73/23/EEC) as well as directives for batteries, explosive atmospheres, simple pressure vessels,
personal protection equipment and dangerous substances. Manufacturers must take care to
2
ÀÀ
;;
@@

learn about all directives which apply to their product.
@@

ÀÀ
;;
;;
@@

ÀÀ
@@;;

ÀÀ
;; @@

ÀÀ
;;
;@À;
ÀÀ

@@
@@

ÀÀ
;;
À

@
9
Machinery builders must thoroughly familiarize themselves with the Machinery Directive and associated standards.
2 2.2
Standards to clarify directives

To help clarify and expand on the essential requirements set forth by the directives, and
to provide a means of testing/verifying that machinery meets directive requirements, OEMs
can refer to a set of harmonized European standards (“European Norms,” or ENs).
Developed by the European Committee for Standardization (CEN) and the European
Committee for Electrotechnical Standardization (CENELEC), the standards are voluntary, not
law. However, standards are the most expedient means to show compliance with the Machinery
Directive. When OEMs design machinery according to EN standards, conformity is presumed.
Two fundamental safety standards apply to all electrical controlled machinery:
• EN 292-1, -2 — Safety of machinery — Basic concepts, general principles for design.
Part 1: Basic terminology and methodology. Part 2: Technical principles and specifications.
• EN 1050 — Safety of machinery — Principles for risk assessment.
Two other fundamental standards address specific safety aspects:
• EN 60204-1 — Safety of machinery — Electrical equipment of machines.
10
Part 1: General requirements
• EN 954-1 — Safety of machinery — Safety-related parts of control systems.
Part 1: General principles for design
These four standards comprise the base standards to show conformance to the Machinery
Directive. The machine designer embarking on the CE marking quest should begin by
obtaining the full text of the four standards noted above and the Machinery, Low Voltage and
Electromagnetic Compatibility Directives.
2.3
Sources for standards

The following organizations and companies provide copies of the standards and directives
(as of September 1997):
2
1. ANSI - American National Standards Institute
11 West 42nd Street New York, NY 10036 USA.
Phone: 1-212-642-4900.
Fax (for ordering): 1-212-302-1286. Fax (general): 1-212-398-0023.
Internet: www.ansi.org
Comments: Now accepts credit cards. ANSI is also the source of IEC & ISO
standards, CEN and CENELEC pre-standards (prEN).
2. International Electrotechnical Commission (IEC)
3, rue de Varembe P.O. Box 131 CH 1211 Geneva 20 SWITZERLAND
Phone: 011-41-22-919-0211 Fax: 011-41-22-919-0300
Internet: www.iec.ch/
11
Comments: Direct source of IEC standards. Will accept credit cards as part
of phone order.
3. International Organization for Standardization (ISO)
1, rue de Varembe CH 1211 Geneva 20 SWITZERLAND
Phone: 011-41-22-749-0111 Fax: 011-41-22-733-3430
Internet: www.iso.ch/
Comments: Direct source of ISO standards. Will accept credit cards as part
of phone order.
2 4. British Standards Institution
389 Chiswick High Road, London W4
4AL UNITED KINGDOM
Phone: 011-44-181-996-9000
Fax: 011-44-181-996-7400
Notified Bodies
A Notified Body is a type of

independent testing laboratory that
an EU member state has determined
Internet: www.bsi.org.uk/ to be qualified to perform testing
and certification functions relating
Comments: Source of CEN and
to specified directives. The member
CENELEC standards once they are state “notifies” the Council of the
published (English language version). European Community (EC) and
the laboratory of its qualified status.
5. Global Engineering Documents An EC-Type examination is the
7730 Carondelet Ave., Suite 407, procedure by which a Notified Body
St. Louis, MO 63105. ascertains and certifies that an
apparatus satisfies the provisions
Phone: 1-800-854-7179.
of the applicable directive(s).
Fax: 1-314-726-6418
Comments: Source for a variety
of standards.
12
6. CEN - European Committee
for Standardization Central
Secretariat: rue de Stassart 36,
B-1050, Brussels, Belgium.
Phone: 011-32-2-550-0819.
Fax: 011-32-2-550-0811
Internet: http://tobbi.iti.is/cen/welcome.html
7. CENELEC - European Committee for
Electrotechnical Standardization Central
Secretariat: rue de Stassart 35,
B-1050, Brussels, Belgium.
Phone: 011-32-2-51-96-919.
Fax: 011-32-3-51-96-871
2.4
CE marking
When machinery manufacturers place CE marking (Figure 2.0) on their product, they
are stating that the product complies with all applicable directives. To affix CE marking to
2
a product, manufacturers must issue a Declaration of Conformity (DOC). This is a formal,
signed statement indicating conformity of the referenced product to the listed provisions
of the applicable directive(s) and standards.
Most machine manufacturers — about 95 percent — can self-certify their compliance with
the Machinery Directive (i.e., it is not mandatory to use an outside agency in most cases). A
few product categories, including high-risk machinery such as punch presses, saws, etc.,
require third-party certification by a Notified Body.
If the product is not manufactured in the EU/EEA, it may be advantageous for the machine
builder to establish an authorized representative located within the EU/EEA. The authorized
representative should be easily accessible, have ready access to the DOC, and be able to
supply supporting information on request.
13
Fig. 2.0
2 2.5
Interpretations may vary

The language of the directives and standards permits a variety of interpretations. This, in
turn, has led to misinformation and confusion about what they really require. Since machinery
manufacturers have responsibility for the performance level of their equipment, it is mandatory
that they read and understand the directives themselves. When in doubt about requirements,
machine builders should refer to the directives and standards; do not accept “expert opinion”
as fact or as the only possible interpretation.
The role of third-party inspectors also generates many questions. The important things
to remember are that most manufacturers can self-certify (the directives clearly cite the
exceptions), and that the EU/EEA does not require machines or components to have additional
safety marks (e.g., the German “GS” or Danish “Demko” marks) other than CE marking.
Sometimes, machinery buyers request that suppliers meet requirements beyond those
for CE marking, such as internal company standards. In such cases, machinery buyers should
specify the additional standards to which they want the product tested against or built, and
14 machine builders should clarify this with the customer up front.
2.6
Applying components properly

Confusion can arise when machine designers hear that using control components with
CE marking means that their machine meets Machinery Directive requirements. This is not
true. CE marking on a control component usually indicates compliance with the Low Voltage
or Electromagnetic Compatibility Directive. Machinery Directive requirements for control
components are an entirely separate set of concerns.
A good analogy for U.S. audiences might be this: using UL-listed components for
a panel does not mean the panel meets UL requirements. To create a UL-approved panel, the
components must be wired and installed according to an acceptable methodology, the National
Electric Codes. This ensures that components are used for their intended function (or conversely, it
helps to prevent unacceptable practices, such as trying to run 200 amps through 16 gauge wire).
While component suppliers can specify application parameters and provide design advice,
it is the machinery builder who integrates the components as part of a machine. Thus, the
builder must take responsibility for ensuring that the components have been assembled and
applied in a manner that meets machine safety requirements.
2
15
Machinery builders must apply control components in an appropriate manner to satisfy Machinery
Directive requirements. Remember: Simply using components with CE marking does not mean your
machine meets CE requirements.
Without a road map, the path to CE conformity can seem long and confusing.
3
CHAPTER
The Road Map
Starting out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.0
EN 292 — Basic concepts of machine safety . . . . . . . . . 3.1
The directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2
EMC Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3
The Low Voltage Directive . . . . . . . . . . . . . . . . . . . . . . . 3.4
The Product Liability Directive . . . . . . . . . . . . . . . . . . . . 3.5
Examining Type A, B and C Standards . . . . . . . . . . . . . . 3.6
Annex I — Essential Health and Safety Requirements . . 3.7
Risk assessment — EN 1050 . . . . . . . . . . . . . . . . . . . . . 3.8
Risk estimation — EN 1050 + EN 954 . . . . . . . . . . . . . . 3.9
Performance categories — EN 954 . . . . . . . . . . . . . . . . 3.10
Risk, performance and selection . . . . . . . . . . . . . . . . . . 3.11
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.12
3 The Road Map
Familiarization with the basic concepts of machine safety

Read and understand the Machinery Directive
Review other Directives for applicability
Examining Type A, B and C standards
Is there a 'C' Type

standard available?
Yes No
Yes, but cannot fully comply.
Design and construct in accordance

Design and construct in Conduct Risk Assessment
with as many as possible of
accordance with all requirements and Risk Estimation.
'C' standard requirements and other
of 'C' Type standard. Apply requirements of 'A' & 'B'
appropriate measures from
standards as needed.
'A' & 'B' standards.
Verify (test or inspect) that machinery meets

requirements of applicable sections of Annex I
18 Create 'Information for use'
Generate Technical File
Can you self-certify? No
Submit for EC Type Examination

Yes
Sign Declaration of Conformity
Affix
CE marking
Fig. 3.0 Basic approach to obtaining CE marking [Note: A, B and C standards are explained in section 3.6 of
this book].
3.0
Starting out
Viewed graphically (see Figure 3.0), the process of obtaining CE marking looks quite
manageable. The authors suggest that manufacturers approach the task as a series of steps and
3
think of it as a process for incorporating safety into machinery.
This section cites specific standards and directives and quotes sections of them. The intent
is to expose readers to the standards in a controlled manner, and to direct readers to the sections
that will be most helpful to them.

3.1
EN 292 — Basic concepts of machine safety

European Norms (ENs, commonly referred to as “standards”) state specific requirements
of the directives. The key standards for clarifying the Machinery Directive are EN 292-1 and 19
EN 292-2, Safety of machinery.

EN 292-1 serves as a good introduction because it provides machine designers with basic
concepts and terminology of machine safety (e.g., safety-critical functions, moveable guard,
two-hand control devices, trip device), descriptions of hazards (e.g., mechanical, electrical,
thermal) and strategies for risk assessment and reduction (see Figures 3.1A and 3.1B). For
more information on the terminology used in the standards, obtain a copy of ENV 1070, a
provisional standard now being developed on terminology.
3 á Supplier
Determine the limits of the

machinery or system
á Information provided by the user (or user community)
as to intended use, tasks, accident history, possible misuse
Task and hazard identification
Risk estimation
Yes
Risk evaluation
(For each hazard related to a task

or reasonably foreseeable misuse)
Validate results
Is the risk Are additional

Yes hazards created?
tolerable?
Case where the supplier

cannot reduce the risk to
ã a tolerable level and there-
fore must rely on the user
to provide additional safe-
20 No guards or protective measures No
Yes
Can hazard be Can risk be Provide warnings, signs,

eliminated by No reduced by safe- No
symbols (as req'd)
design? guarding?
Yes Yes No
Finalize information for use

â User (Documentation)
No More hazards?
Fig. 3.1A Procedure for suppliers to assess and reduce risk (from proposed update to EN 292-1).
â User
Determine the application of the

machinery or system
â
Information provided by the supplier as to
proper use (including limits), residual risk,
additional protective measures, safe
working practices, training
3
Task identification
Risk estimation New task added
Risk evaluation
(For each task) Yes
Validate results
Is the risk Yes More tasks?

tolerable?
No No
21
Additional safeguards
(guards, protective devices,
protective measures, personal
protective equipment Develop safe working
procedures â
Case where the supplier

cannot reduce the risk to
a tolerable level and there- Conduct training â
fore must rely on the user
to provide additional safe-
guards or protective measures
User requirements (specific Supplier

user or user community) á
Fig. 3.1B Procedure for users to assess and reduce risk (from proposed update to EN 292-1).
3 EN 292-2 provides an overview of the technical principles and specifications for
incorporating safety into a machine; e.g., avoiding or reducing as many of the hazards
as possible by using the most suitable design features, and by limiting a person’s exposure
to hazards by reducing the need for operator presence/intervention in danger zones.
EN 292-2 addresses risk reduction by design, safeguarding (see Figure 3.2), creating
“information for use” (i.e., an owner’s manual) and additional precautions designers can take
related to improving safety.
Hopefully, just the brief information and charts referenced here have convinced
manufacturers that the standards establish a helpful framework for designing safe machines.
HAZARDS GENERATED BY HAZARDS GENERATED BY

MOVING TRANSMISSION MOVING PARTS CONTRIBUTING TO THE WORK
PARTS (DIRECTLY INVOLVED IN THE PROCESS AS, e.g., TOOLS)
Yes Can they be No

made completely inaccessible
while working?
22
- fixed guards, - fixed guards, - fixed guards, (see 4.2.2.2),

(see 4.2.2.2), (see 4.2.2.2), preventing access to the
or or moving parts in the
zones away from the
- interlocking guards with - interlocking guards with process
or without guard locking or without guard locking,
(see 4.2.2.3a) with automatic monitoring and
(see 4.2.2.3b),
or - adjustable guards
(see 3.22.3 in EN 292-1)
- safety devices restricting access to
(see 4.2.3), the moving parts in
those zones where
it is necessary for the
selected, according to the process
need for access to the
danger zone, (see 4.1.2
and 4.1.3).
Fig. 3.2 EN 292-2 provides information on how to incorporate safety into a machine, such as this diagram
for choosing safeguards.
3
3.2
The Directives
From the definition of “machinery,” to a machinery manufacturer’s ability to demonstrate
conformity, to applying the CE marking, the Machinery Directive sets forth the laws with
which all manufacturers must comply. Although moderately long (see Figure 3.3) and written
like a legal document, all manufacturers must read the Machinery Directive. It is the law, and
ignorance of the law is no excuse for failing to comply.
Articles 1-14 of the Machinery Directive are written in legal jargon. Conversely, Annexes I-VII
of the Machinery Directive are relatively easy to follow. The Annexes are very important, and
particularly Annex I, which covers Essential Health and Safety Requirements (EHSRs).
After the Machinery Directive, manufacturers must review other directives for applicability
(note: multiple directives often apply). The three directives most likely to apply to machinery
using control products are the Electromagnetic Compatibility (EMC) Directive (89/336/EEC), 23
the Low Voltage (LV) Directive (73/23/EEC), and the Product Liability (PL) Directive
(85/374/EEC).
There are also directives for batteries, explosive atmospheres, simple pressure vessels,
personal protection equipment and dangerous substances.
Interpreting the Machinery Directive
To clarify the Machinery Directive, the Fédération Européene de la Manutention (FEM, a

federation of manufacturers) has produced a document which quotes the directive, provides valuable
comments and lists notified bodies. This document is titled, “Interpreting the machinery directive
and affixing the CE mark.” To order, contact FEM at Kirchenweg 4, CH-8032 Zürich, Switzerland.
Phone: 011-41-1-384-48-44. Fax: 011-41-1-384-48-48.
3 Contents of the Machinery Directive
Foreword
Introduction
Glossary of terms
Summary of Machinery Directive
The EC Machinery Directive (89/392/EEC) with amendments and interpretations
Recitals
Article 1: Scope of the directive
Article 2: Primary obligation of the member states
Article 3: Obligation of the manufacturer
Article 4: Free movement of machinery
Article 5: Use of standards as a means of assuring conformity
Article 6: Establishment of committees to deal with matters related
to the directive
Article 7: Establishment of the authority of member states to review
conformance of machinery
Article 8: Requirements of the manufacturer to demonstrate conformity
Article 9: Establishment of the authority of member states to designate
Notified Bodies
Article 10: CE marking
Article 11: Notification and rights of manufacturer in case of claim
of non-conformity by member states
24
Article 12: Availability of information on all relevant decisions
Article 13: Effective date and transition periods
Article 14: Repeal of conflicting directives
Annex I: Essential Health and Safety Requirements
Annex II: Contents of the EC declaration of conformity
Annex III: CE marking (replaced by 93/68/EEC)
Annex IV: Types of machinery and safety components for which the procedures
in article 8 must be applied
Annex V: EC declaration of conformity
Annex VI: EC type examination
Annex VII: Minimum criteria to be taken into account by member states
for the notification of bodies
Fig. 3.3
3.3
EMC Directive
Apparatus must comply with the EMC Directive when it is liable to cause electromagnetic
disturbances or its performance is liable to be affected by such disturbances. This is particularly
3
true if the disturbance results in a sudden risk increase, which then becomes a safety issue
(e.g., initiation of an unexpected motion as the result of an inductive proximity sensor
triggering “On” accidentally).
The EMC Directive states that all “apparatus” placed in the EU/EEA market shall be
constructed so that:
• “The electromagnetic disturbance it generates must not exceed a level allowing
radio and telecommunications equipment and other apparatus to operate as intended.”
• “The apparatus has an adequate level of intrinsic immunity to electromagnetic
disturbance to enable it to operate as intended.”
Most products that make use of electrical energy generate, or are susceptible to, electromagnetic
fields. Annex III of the EMC Directive states that electromagnetic disturbance generated by a
product should especially not hinder apparatus such as: industrial manufacturing equipment,
mobile radio equipment, telecommunications networks and apparatus, information technology
25
equipment, domestic appliances, and lights and fluorescent lamps. Though not called out in the
directive, be especially aware of the effects of motors and electric drives, “crosstalk” between
power cables, and inadequate or improper grounding.
3.4
The Low Voltage Directive

This directive applies to equipment where the risks are mainly electrical in origin. It
covers equipment (including components and assemblies) which operate at 50-1000V AC
or 75-1500V DC. The Low Voltage Directive states that, when installed and operated as
intended, equipment of this type must not endanger the safety of persons, domestic animals
or property. Designers should review Annex I of the Low Voltage Directive, which sets out
principle safety objectives.
3 3.5
The Product Liability Directive

This directive, which addresses liability for
defective products, states that the injured persons
Know EMC and LV
Though not the focus of this book,

the EMC and Low Voltage Directives
often impact machine design quite
shall be required to prove the damage, the defect(s)
significantly. Machine builders
and the causal relationship between the damage and should thoroughly understand the
the defect(s). The directive also states that a product requirements of these directives.
is defective when it does not provide the safety a

person is entitled to expect, taking all circumstances
into account. Further, a product shall not be
considered defective for the sole reason that a newer
product is subsequently put into circulation.
The Product Liability Directive sets forth
circumstances under which a manufacturer
shall not be liable:
• That he did not put the product into
circulation
26
• The defect which caused the damage did
not exist at the time when the product
was put into circulation
• The product was not manufactured for
sale for any form of distribution
for economic purposes
• The defect is due to compliance of the
product with mandatory regulations
• The state of scientific and technical
knowledge at the time when the product
was put into circulation was not such as
to enable the detection of the defect
• In the case of a component used within a
product, the defect can be attributed
to the design of the product or the
instructions provided with the product
3.6
Examining Type A, B and C standards
3
Examining Type A, B and C Standards
Machinery Directive Provide essential health & safety

and Annexes; other directives requirements. Are laws.
Type A Standards Applies to all machinery.

(EN 292, EN 1050)
Broad safety principles

Type B1 Standards for component safety
(EN 954, EN 60204) and electrical equipment.
27
Covers one safety aspect

Type B2 Standards
or safety-related device.
Covers one type or class

Type C Standards of machinery. Standards are
product/product family specific.
Fig. 3.4 Hierarchy of directives and standards.
CEN/CENELEC divides the EN standards into three groups according to the subject(s)
they cover and also makes them hierarchical in nature (see Figure 3.4). To obtain CE marking,
manufacturers must determine which standards apply to their products, then review and apply
the appropriate ones.
3 Type A standards cover fundamental safety
standards, apply to all types of machinery, and are
essential reading. The two most important Type A
standards for manufacturers to review are EN 292
Safety of machinery (discussed in section 3.1) and
EN 60204 electrical checklist
EN 60204-1 (which is comparable

to IEC 204) provides a very
comprehensive list of electrical
equipment design aspects to which
EN 1050 Safety of machinery — Principles for
manufacturers should adhere.
risk assessment (discussed in section 3.8). Appendix 2 of this book provides
Type B standards are group standards and a checklist for designers based on
this standard, as well as an “inquiry
deal with only one safety aspect or one type of
form” that OEMs should give to
safety-related device (which can be used on a end-users of electrical equipment.
wide range of machinery; see Appendix A of this
book for a selected list of B standards). The Type
B standards fall into two classes, B1 and B2.
B1 standards deal with one particular safety
aspect, such as the effectiveness of safety functions,
safety distances, hand/arm speed, noise, etc. The
two most encompassing Type B1 standards are EN
28 60204-1 Safety of machinery — Electrical
equipment of machines, and EN 954-1 Safety of
machinery — Safety related parts of control
systems [Part 1: General principles for design].
Appendix B of this book provides an electrical
equipment checklist (based on EN 60204-1) that
will help designers conform with the standard.
B2 standards deal with safety-related devices
(e.g., interlocks, emergency stops, various safety
switches, two-hand controls, proximity devices —
again, see Appendix A). If manufacturers use one
of these safety devices on a machine, then the
device must be designed and applied according to
the relevant standard.
While Type A and B standards cover most types of machines and relevant safety standards,
Type C standards give detailed safety requirements for specific types of machines. Type C
standards are based on applicable sections of relevant Type A and Type B standards, but the
Type C standards may deviate from them where appropriate or necessary.
3
requirements of applicable sections of Annex I
3.7
Annex I — Essential Health and Safety Requirements

Before building a machine, all designers must thoroughly familiarize themselves with the
Essential Health and Safety Requirements (EHSRs) found in Annex I of the Machinery Directive.
This law states that “Machinery must be so constructed that it is fitted for its function,
and can be adjusted and maintained without putting persons at risk when these operations
are carried out under the conditions foreseen by the manufacturer. The aim of measures taken
must be to eliminate any risk of accident throughout the foreseeable lifetime of the machinery,
29
including the phases of assembly and dismantling.”
Annex I sets forth laws on:
• Controls: reliability, starting and stopping, energy isolation, control failures
• Protection against mechanical hazards
• Protection against other hazards: electricity, temperatures, fire, explosion, tripping,
falling, and others
• Maintenance
• Indicators: warning, marking, instructions
See Appendix C for a more complete listing of EHSRs.
3 Annex I epitomizes the EU’s common sense approach to safety. For example:
• After an interruption or fluctuation in...the power supply...the machinery must not
start unexpectedly.
• A fault in the control circuit logic, or failure of or damage to the control circuit must
not lead to dangerous situations.
• Movable guards must be designed and incorporated into the control system so that
moving parts cannot start up while they are within the operator’s reach.
Conduct Risk Assessment

and Risk Estimation.
Apply requirements of 'A' & 'B'
standards as needed.
3.8
Risk assessment — EN 1050

Risk assessment is a series of logical steps to enable, in a systematic way, the examination
of hazards associated with machinery; it is then followed (when necessary) by risk reduction.
30
Repeating this process eliminates hazards and/or implements safety measures as far as
possible. Refer back to Figure 3.1 for a schematic representing this strategy.
EN 1050, a Type A standard, describes principles for a consistent, systematic procedure for
risk assessment, and it gives guidance for making decisions during the design of machinery.
The five basic components (or steps) of EN 1050 are:
1. Determination of the limits of the machinery. Refer to EN 292.
2. Hazard identification. Refer to Annex A of EN 1050 for examples of hazards;
Annex B describes methods for the systematic analysis of hazards (Failure Mode
and Effects Analysis, etc.).
3. Risk estimation (described in detail in section 3.9)
4. Risk evaluation — determine if risk reduction is required or whether safety has been
achieved. If risk reduction is required, reduce risk by design, safeguarding and/or
informing operators.
3
5. Documentation — demonstrate the procedure followed and results achieved.
3.9
Risk estimation — EN 1050 and EN 954

Since all machinery containing identified hazards presents a risk, machine designers must
be able to evaluate the risk. In turn, this will allow designers to employ appropriate levels of
safety measures.
The risk associated with a particular situation or process can be represented in an equation
where: Risk = Severity + Probability + Frequency. Figure 3.5 gives guidance only (it is not
a substitute for meeting the standard) for helping the designer to choose a category based
on risk assessment.
31
3 Estimate the severity (possible degree of harm) by considering the:
• Severity of injury:
S1 Slight (normally reversible) injury or damage to health
S2 Serious injury or damage to health (normally irreversible, including death)
Estimate the probability of harm occurring by considering the:
• Frequency and duration of exposure:

F1 Seldom to quite often and/or short exposure time
F2 Frequent to continuous and/or long exposure time
• Possibility to avoid or limit the harm

P1 Possible under specific conditions
P2 Scarcely possible
When a hazardous situation occurs, P1 should only be selected if there is a realistic chance of avoiding an accident
or of significantly reducing its effect. P2 should be selected if there is almost no chance of avoiding the hazard.
Category
Starting point
B 1 2 3 4
S1
P1
F1
P2
S2
P1
F2
P2
32
Category selection
B, 1 to 4 Categories for safety related parts of control systems
Preferred categories for reference points
Possible categories which can require additional measures
Measures which may be overdimensioned for the relevant risk
Fig. 3.5 Guidelines for risk estimation from EN 954-1, Annex B.
NOTES: 1. Annex B is informative, not normative. The correct use of EN 954-1 requires attention to ALL
of its clauses, not just the requirements for its categories.
2. Two common misconceptions occur with the categories noted in EN 954-1: that they represent
levels of risk and that they are hierarchical. THIS IS NOT TRUE. The categories should be
considered as reference points for the performance of a safety-related part of a control system
with respect to the occurrence of faults.
3. A weakness of EN 954-1 is that the categories are basically defined in terms of performance
under fault conditions. As such, there is no mechanism for culturing the choice of a given
performance category by the comparative reliability of differing risk abatement options or
technologies. The 1996 version of EN 954-1 is currently being reviewed to address this situation.
Once a hazard is identified, it is important to know if it can be identified by physical
means (i.e., watching the machine move) or only by technical means (i.e., indicators). Other
important aspects which influence the selection of parameter P (Possibility) include:
• Operation with or without supervision
3
• Operation by experts or non-professionals
• Speed with which the hazard arises
• Possibilities for avoiding the hazard (reaction time, third-party intervention)
• Practical experience relating to the process
• Probability that the harmful event will occur
3.10
Performance categories — EN 954

Parts of machinery control systems (both hardware and software) are frequently assigned
to provide safety functions. A safety-related part of the control system means a part or
subpart(s) of a control system which responds to input signals and generates safety-related
output signals. The combined safety-related parts of a control system start at the points where
the safety-related signals are initiated and end at the output of the power control elements. This 33
also includes monitoring systems.
EN 954 (a Type B1 standard) provides requirements and guidance for designing the safety-
related parts of control systems. It describes characteristics of safety functions and specifies
performance categories, but it does not specify which safety functions and which categories
shall be used in a particular case.
Clause 6.2 of EN 954 states that designers should construct safety-related parts of control
systems to meet the requirements of one or more of five performance categories. Figure 3.6
summarizes these requirements and the corresponding behavior expected of the safety function
principles.
Further explanation of the category requirements will help machine designers select and/or
design safety-related components.
3 Guide to the Categories for Safety-Related Parts of Control Systems From EN 954-1
Category
B
Basic Requirements
Components able to withstand

expected influences.
At least
Reliability for normal
operation.
What is achieved
At most
Reliability for normal
operation.
1 Requirements of cat. B Enhanced reliability of Elimination of fault

together with: Use of well- the safety function from possibilities (i.e.,
tried (e.g., tested or provable) that of a “normal” device high level of safety
components and safety or system. performance).
principles.
Requirements of cat. B and Machine can only start Machine can only start up
2 when system is safe. when system is safe and
the use of well-tried safety
principles together with: faults will be detected by
A safety function check a frequent check (i.e.,
at machine start-up and high level of safety
periodically if required. performance).
3 Requirements of Cat. B and • Detection of some single, Detection of ALL single

34 the use of well-tried safety safety-critical faults at the faults (safety-critical and
principles together with: next demand on the safety non-safety critical) as
A single fault will not cause function. they occur (i.e., high level
a loss of safety function. • Safety-critical faults of safety performance
can accumulate between when it is not feasible
demands on the safety to expect multiple
function. independent faults to
accumulate within the
• Non-detected, non-
checking period).
safety critical faults can
accumulate and cause
loss of safety function.
4 Requirements of cat. B and • Detection of single faults in • Detection of single faults

the use of well-tried safety time to prevent the loss of immediately.
principles together with: safety function. • No combinations of faults
Assimilation of faults will not • Foreseeable combinations will cause loss of safety
cause a loss of safety function. of faults will not cause loss functions (this is the ideal
(the number of faults in accumulation of safety functions. but rarely achieved in
to be considered is normally two but practice).
may be more depending on the High level of safety
application circumstances). performance.
NOTES: 1. If, as a consequence of a fault, further faults occur, all the linked faults shall be considered
as a single fault.
2. Common mode faults are regarded as a single fault.
3. The occurrence at the same time of two independent faults is not considered.
Guide to the Categories for Safety-Related Parts of Control Systems From EN 954-1
Category
B
Factors affecting the
degree of performance
Availability of standards,
test data, etc.
Typical techniques
Use of materials and

components conforming to
Validation
methods
Check specifications for

conformity and suitability
3
recognized standards, etc.
1 The simplicity or complexity • Positive mode operation, life • Fault analysis (e.g., Failure
of the system and principle testing, oriented failure Mode and Effects Analysis
(i.e., fewer components mode (e.g., defined weak or Fault Tree Analysis)
means fewer potential modes link - relevant to simple • Testing.
of failure and more viable (e.g.,mechanical) equipment
• Checking of safety margins.
validation). • Validation measures are
usually too involved or not
possible for more complex
(e.g., electronic) equipment.
The frequency and nature of Simulation of device Theoretical analysis

2
the check (i.e., more frequent actuation and functional and/or testing.
checks allows less time for check by machine control
faults to remain undetected). system or dedicated
monitoring unit with
start interlock.
3 The frequency and nature of • Dual contact (or two Theoretical analysis
the check (i.e., more frequent separate) devices linked by and/or testing. 35
checks allows less time for two circuits to a separate
faults to accumulate). unit which compares
operation of each circuit
at change of state
• Suitable where some faults
cannot be prevented and
there is relatively frequent
actuation —particularly
relevant
to electro-mechanical
technology.
4 The simplicity or complexity Dynamic techniques. Theoretical analysis

of the system and principle Relevant to equipment and/or testing.
(i.e., fewer or simpler which must be complex to
components mean fewer fault perform its primary task.
combination permutations). Particularly relevant to
electronic technology.
3 Category B
No special measures for safety apply to parts complying with category B. The parts,
when applied according to their specifications, should be able to withstand the expected
operating stresses (e.g., load, number of operating cycles), the influence of material processed
(e.g., detergents in a washing machine), and the relevant external influences (e.g., vibration,
power disturbances).
Category 1
A well-tried component for a safety-related application is a component which has been:
1) widely used in the past with successful results in similar applications; or 2) made and
verified using principles which demonstrate its suitability and reliability for safety-related
applications. In some well-tried components, certain faults can be excluded because the fault
rate is known to be very low.
Well-tried safety principles are, for example:
– avoidance of certain faults; e.g., avoidance of short circuit by separation
– reducing the probability of faults; e.g., over-dimensioning or underrating
of components
36 – orienting the mode of fault; e.g, by ensuring an open circuit when it is vital
to remove power in the event of fault
– detecting faults very early
– restricting the consequences of a fault; e.g., grounding of equipment
Newly-developed components and safety principles may be considered equivalent
to “well-tried” if they fulfill the above mentioned conditions.
Note: On the level of single electronic components alone, it is not normally possible
to meet category 1 requirements. See Appendix D for a list of some significant faults and
failures for various technologies.
Safety categories ≠ Safety
hierarchy
Category 2
Any check of safety functions (which can
be automatic or manual) shall either: 1) allow
operation if no faults are detected; or 2) generate
3
Designers should note that an output which initiates control action if a fault
performance categories do not is detected. When possible, this output shall
indicate a safety hierarchy (i.e.,
initiate a safe state (e.g., prevent starting/restarting
category 4 is not necessarily safer
than category 1). Rather, these if the safety function is not available). When
categories state the required not possible, the output shall provide a warning
behavior for a safety system in of the hazard. In some cases, category 2 does
relation to its resistance to faults.
not apply because checking cannot be applied
Thus, according to the performance
category required, machine designers to all components, e.g., a pressure switch or
must select safety-related parts on temperature sensor.
their ability to resist faults (i.e., both
reliability and availability of the Category 3
safety function must be considered).
Typical examples of feasible measures for
Safety ≠ reliability fault detection are the connected movement
of relay contacts (i.e., “positive guidance”)
However, designers must not 37
confuse reliability and safety. For or monitoring of redundant electrical outputs.
example, a system with unreliable “Feasible” means that fault detection measures,
components in a redundant structure
and the extent of their implementation, depends
can provide more safety than a
non-redundant system with better mainly on the consequence of a failure and the
components. This concept is probability of the occurrence of that failure. The
important because in applications technology used influences the possibilities for
where the consequences of failure
implementing fault detection.
are serious, safety requires the
higher priority regardless of the
Category 4
reliability achieved. Designers may
want to refer to Annex D of EN 954 Fault review may be stopped when the
for more details. probability of further faults occurring is sufficiently
low. The number of faults considered “sufficiently
3 low” varies. For example, in the case of complex microprocessor circuits, a large number
of faults can exist. Conversely, in an electro-hydraulic circuit, two or three faults can be
sufficient to initiate a safety action.
Fault review may be limited to two faults in combination when: the fault rates of the components
are low AND the faults in combination are largely independent of each other AND the faults have
to appear in a certain order to jeopardize the safety function.
38
When making purchasing decisions, consider that well-tried components help meet category 1
and higher requirements.
3.11
Risk, performance and selection

To help further guide the designer on how to relate risk and anticipated performance
when selecting a performance category, consider three examples.
3
For the first example, imagine a two-hand control used in connection with a large power
press. Risk analysis has determined that if the two-hand control fails it could initiate a power
stroke resulting in amputation or death. This extreme risk requires a high performance level
for that part of the control system and, in most cases, dictates meeting category 4 requirements.
The second example is a two-hand control used on a packaging machine where the possible
severity of injury is not more than a severe cut or bruise with a low to medium probability
of occurrence. The minimum performance level for this “medium risk” would be lower than
required for the large power press, and meeting category 2 requirements would likely suffice
(and depending on design and product selection, category 1 might be sufficient).
The third example is a simple machine used to stake on wire terminals. Any injury that
could occur is slight, and the probability of that occurring is low. A less-sophisticated category 1
performance level might be acceptable.
The point of these examples is that it is probably not necessary to select a category 4
39
performance level when the risk is low. However, even a “well-designed” category 1 system
probably cannot be expected to provide the required minimum performance level for high risk
machinery. Further, do not assume that a well-designed system meeting category 4
requirements provides adequate safety for a high risk situation. Designers must make a risk
evaluation and determine whether there is a need to provide other means of safeguarding (e.g.,
fixed barriers).
3 3.12
Summary
By using EN 1050 and EN 954, the machine designers’ objective is to ensure that the
safety-related parts of a control system produce outputs which can achieve risk reduction
objectives. The process for selecting and designing safety measures takes five steps.
Step 1: Hazard analysis and risk assessment

- Identify the hazards present at the machine during all modes of operation and at each
stage in the life of the machine by following the guidance in EN 292-1 and EN 1050.
- Assess the risk arising from those hazards and decide the appropriate risk reduction
for that application in accordance with EN 292-1 and EN 1050.
Step 2: Decide measures for risk reduction by control means

- Determine the design measures at the machine and/or the provision of safeguards
to provide the risk reduction. Those parts of the control system which contribute
as an integral part of the design measures and/or in the control of the safeguards
shall be considered safety-related parts.
40 Step 3: Specify safety requirements for the safety-related parts of the control system
- Specify the safety functions to be provided in the control system [Appendix E
provides a list of typical safety functions which can be provided by the safety-related
parts of a control system. The list also references the relevant parts of standards.]
- Specify how the safety functions will be realized and select the category(ies) for each
part and combinations of parts within the safety–related parts of the control system.
Step 4: Design
- Design the safety-related parts of the control system according to the specification
developed in step 3 and to the general strategy for design. List the design features
included which provide the design rationale for the category(ies) used.
- Verify the design at each stage to ensure that the safety-related parts fulfill the
requirements from the previous state in the context of the specified safety function(s)
and category(ies).
Step 5: Validation
- Validate the achieved safety functions and category(ies) against the specifications
in step 3. Re-design as necessary.
- When programmable electronics are used in the design of safety-related parts
3
of the control systems other detailed procedures are required (see Notes 1 and 2).
Note 1: It is believed at present that it is difficult to determine with any degree of certainty,
in situations when a significant hazard can occur due to the malfunction of the control system,
that reliance on correct operation of a single channel of programmable electronic equipment
can be assured. Until such time that this situation can be resolved, it is inadvisable to rely on
the correct operation of a single channel device (according to 11.3.4 of EN 60204-1).
Note 2: A proposed international standard, IEC 1508, may provide more guidelines for
the functional safety of programmable electronic systems when such systems are used as
safety-related systems.
To facilitate the design process, Annex A of EN 954 lists some important aspects to
consider during the design process. These are:
1. What reaction is required from the safety-related parts of the control systems(s)
when faults occur?
41
a) No special action required.
b) Safe reaction required within a certain time.
c) Safe reaction immediately required.
2. In which safety-related part(s) of the control system should faults be assumed?
a) Only in those parts in which (by experience) faults occur relatively often;
e.g., in the peripheral sensors and wiring.
b) In auxiliary parts.
c) In all safety-related parts.
3. Have both random and systematic faults been considered?
3 4. Which faults should be assumed in the components of the safety-related parts
of the control system?
a) Faults only in components which are not well-tried. [“Well-tried” not
in the sense of reliability, but from the view of safety.]
b) Faults in all components.
5. Has the correct reference category been selected as it relates to the requirement
for detecting faults?
a) Normal requirements for fault detection. [This means that all faults which
can be detected with relatively simple methods should be detected.]
b) Strong requirements for fault detection. [This means that techniques should be
used which enable most of the faults to be detected. If this is not reasonably
practical, combinations of faults should be assumed (fault accumulation).]
6. What shall be the next action of the control system if a fault has been detected?
a) The machine should be brought to a predetermined state as required by the
risk assessment.
b) Further operation of the machine can be permitted until the fault is rectified.
42 c) The indication of the fault(s) is sufficient

(e.g., warning signal by Visual Display Units (VDU)).
7. What is necessary to meet the maintenance requirement?
a) Provision of information about the effects of deviations from design
specifications.
b) Automatic indication of the need of maintenance.
c) Setting of maintenance intervals.
d) Setting of component life.
e) Provision of diagnostic facilities and test points.
f) Special precautions for safety during maintenance.
8. What methods should be used for fault detection?
a) Automatic fault detection, as far as it is appropriate.
b) Manual fault detection; e.g., by periodic inspection.
c) By more than one method.
3
9. Has the risk reduction been achieved?
a) Can the risk reduction be achieved more easily with a different combination
of risk reduction measures?
b) Check that the measures taken . . .
- do not reduce the ability of the machine to perform its function,
- do not generate new, unexpected hazards or problems.
c) Are the solutions valid for all operating conditions and for all procedures?
d) Are these solutions compatible with each other?
e) Is the safety specification correct?
10. Have ergonomic principles been considered?
a) Are the safety-related parts of the control system, including the protective
devices, easy to use?
43
b) Is there safe and easy access to the control systems?
c) Are warning signals given priority (e.g. highlighted)?
11. Have the relationships between safety, reliability, availability and ergonomics been
optimized in such a way that the safety measures will be maintained during the
lifetime of the system, and does not tempt personnel to defeat the safety functions?
CE conformity is your passport to the European market, but you still must create a “Technical File,”
produce and sign a “Declaration of Conformity” and adhere to other EU rules.
4
CHAPTER
Post Design and
Construction Requirements
So you’ve complied with requirements — now what? . . . . . 4.0
Information for use . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1
Advice for drafting information for use. . . . . . . . . . . . . . 4.2
The Technical File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3
Declaration of Conformity . . . . . . . . . . . . . . . . . . . . . . . 4.4
Can you self-certify?. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5
CE marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6
4 4.0
So you’ve complied with requirements — now what?

After building a machine and verifying that it complies with the directives and standards,
manufacturers need to complete five more steps before affixing CE marking:
1. Create “information for use”
2. Generate a “Technical File”
3. Submit a product sample to a Notified Body, or learn if the product does not have
to be submitted to a Notified Body
4. Create the “Declaration of Conformity”
5. Learn how to properly apply CE marking
While much easier and quicker to absorb than the previous material (it’s downhill from
here!), the post-design and post-construction portions of the directives are still law and,
importantly, still contribute significantly to safety.
Create 'Information for use'
46
4.1
Information for use

Creating good “information for use” — instructions for using the machinery — contributes
significantly to the safety of machinery. Annex I, clause 1.7.4 of the Machinery Directive
states that all machinery must be accompanied by instructions that cover items such as the
foreseen use of the machinery; workstation(s) likely to be occupied; instructions and diagrams
for safe: putting into service, use, handling, assembly, dismantling, adjustment, and
maintenance; and a repeat of information with which the machine is marked.
The Machinery Directive mandates that, on being put into service, instructions
accompanying the machinery must be in the language(s) of the country in which the machinery
is to be used (this is in addition to instructions in the manufacturer’s native language). Further,
Directions and Safety
Machine manufacturers should

provide directions for safe and
correct use of the machine. The
when manufacturers source components from other
companies, they must obtain all necessary
instructions from suppliers and incorporate those
instructions into their own instructions in a logical
manner. For example, take the instructions for a
4
directions and information must not piece of machinery using a DC motor with brushes.
compensate for design deficiencies.
Motor maintenance procedures and schedules should
be included as an integral part of the entire machine’s
maintenance instructions. Including a line such as
“Motor maintenance — see accompanying motor
manual” and attaching the motor supplier’s owner
manual at the end of machinery instructions is
generally not sufficient.
Clause 5 of EN 292-2 also details requirements
for “information for use.” It recommends that
instructions contain information in basic areas, e.g.,
modes for stopping the machine, fault identification
and location, nature and frequency of maintenance,
permissible environmental conditions, etc. Further,
it specifically discusses the location of information 47
(i.e., on the machine itself if the risk warrants); signals
and warning devices; markings, signs (pictograms)
and written warnings; and accompanying documents
(e.g., the instruction handbook).
4.2
Advice for drafting information for use

a) The information for use must clearly relate
to the specific model of machine.
b) When information for use is being prepared,
the communication process “see - think - use”
4 should be followed in order to achieve the maximum effect and should follow
sequential operations. The questions “How?” and “Why?” should be anticipated and
the answers provided.
c) Information for use must be as simple and as brief as possible, and should be expressed
in consistent terms and units with a clear explanation of unusual technical terms.
d) When it is foreseen that a machine will be put to non-professional use, the instructions
should be written in a form that is readily understood by the non-professional users. If
personal protective equipment is required for the safe use of the machine, clear advice
should be given and this information must be prominently displayed at the point of
sale; e.g., on the packaging as well as on the machine.
e) Documents giving instructions for use should be produced in durable form (i.e. they
should be able to survive frequent handling by the user). It may be useful to mark
them “keep for future reference.”
48
A “Technical File” is the principle means of assessing conformity. Only national authorities of an
EU/EAA country have the right to see it.
Generate Technical File
4
4.3
The Technical File

Before drawing up the EC declaration of conformity, the machine builder must ensure
that certain technical documentation is available for inspection purposes. This documentation
is called a “Technical File” (TF), and it is a principle means of assessing product conformity.
The TF must contain the following:
A. An overall drawing of the subject equipment.
B. Full detailed drawings, accompanied by any calculations, notes, test results, etc.,
required to check the conformity of the equipment with the EHSRs.
C. A list of the essential requirements of the Machinery Directive, standards, and other
technical specifications, which were followed when the equipment was designed.
D. A description of methods adopted to eliminate hazards presented by the equipment.
E. If essential, any technical report or certificate obtained from a competent testing
body or laboratory.
49
F. Any technical report giving the results of tests carried out internally by
engineering or others.
G. Documentation and test reports on any research or tests on components, assemblies
and/or the complete product to determine and demonstrate that by its design
and construction the product is capable of being installed, put into service and
operated safely.
H. Determination of the foreseeable lifetime of the product.
I. A copy of the instructions for the product (Instruction Manuals/Instruction Books).
J. For serial manufacturing, the internal measures that will be implemented
to ensure that the equipment will continue to be manufactured in conformity with
the provisions of the Machinery Directive and other applicable directives.
4 K. Engineering Reports.
L. Laboratory Reports.
M. Bills of Material.
N. Wiring Diagrams.
Testing components
Machine manufacturers must

evaluate the applicability of
components and fittings on the
O. Sales Order Engineering Files. completed machine to determine if
the machine can be put into service
P. Hazard Evaluation Committee
safely. This helps to ensure that
Reports, if executed. machine manufacturers cannot pass
Q. Change Records. on safety responsibilities to their
vendors. For companies that
R. Customer Specifications. manufacture a series of machines,
S. Any Notified Body Technical the company must show the measures
it plans to use to ensure that the
Reports and Certification Tests
machinery remains in conformity.
(if applicable).
T. Copy of the Declaration
of Conformity.
Important items to note about the TF:

• The documentation noted above need
not permanently exist in the TF.
50 However, the manufacturer must be
able to assemble the documentation
(or specific portions of it) and make
it available within a period of time
commensurate with its importance
(one week is considered a reasonable
time). As a minimum, each machinery
TF must physically contain an index
of the applicable documents or material
listed above.
• The TF may be in hard copy or software
form (provided that the software form
can be easily reproduced in hard copy).
• Only the National Authorities (duly authorized agents of member states) have
the right to see the contents of the TF. The National Authority must specify what
portion of the TF is required and a suitable reason for the request. The Directive
does not give the client (user) or others the right to see the file.
4
• The Technical File must be maintained at the location of the product
(machinery) design.
• The TF (including all documentation) must be retained and kept available for 10 years
following the date of placing the product in the EU or from the last unit produced
in the case of series manufacture.
• The TF must be drawn up in one of the official languages of the EU: English, French
or German.
• The EU is currently considering a proposal whereby EU inspection authorities should
accept subdivision of the TF into two parts. The first part (A) would consist of a
summary of the essential technical data relevant to the conformity assessment
procedures (in particular: a product description; the list of harmonized standards
followed and/or solutions adopted to satisfy EHSRs; operating instructions, if any;
and a blueprint/product plan, if any). The second part (B) would consist of a full file
of all data.
51
Sign Declaration of Conformity
4.4
Declaration of Conformity
The EC Declaration of Conformity (DOC) is the procedure by which manufacturers
declare that the machinery being placed on the market complies with all the Essential
Health and Safety Requirements (EHSRs) applying to it. Signing the DOC authorizes
4 the manufacturer to affix the CE marking to the
machinery. A copy of the DOC must accompany
each product sold.
Contents of the DOC include:

CE marking & DOC
demonstrates conformity
Coupled with CE marking,

A. Name and address of the the DOC indicates that a product
complies with the Machinery
manufacturer.
Directive and all other directives
B. Description of the machinery. which may apply.
C. Where appropriate, the name and

address of the Notified Body and the
number of the EC type examination
certificate.
D. Where appropriate, the name and
address of the Notified Body to
which the file has been forwarded
in accordance with Article 8 (2) (c)
of the Machinery Directive.
F. Where appropriate, a reference
to the harmonized standards.
52 G. Where appropriate, the national
technical standards and specifications
used.
H. Identification of the person
empowered to sign on behalf of the
manufacturer or his authorized
representative(s) in the EU.
For components that will be incorporated into
another machine and do not fully comply with the
directives, the manufacturer must make an EC
Declaration of Incorporation. This includes providing the same information noted above, as
well as a statement that the machinery must not be put into service until it is brought into full
compliance, or the machinery in which it is to be incorporated is brought into full compliance.
Manufacturers who offer components for the safety-related parts of control systems must
4
also draw up a DOC, being sure to note the safety function intended if it is not obvious from
the description. Samples for all three types of DOCs are given in Appendix F.
Can you self-certify?
4.5
Can you self-certify?

Roughly 95 percent of all manufacturers can self-certify compliance with the directives
and standards and affix CE marking without involving a third party (i.e., a Notified Body).
To self-declare, manufacturers must: be confident of conformity assessment procedures,
provide a TF, make a DOC, and affix CE marking.
The other five percent of manufacturers may have to follow a different procedure. The
53
EU has identified certain types of high-risk machinery (such as presses and saws) and certain
safety components (such as logic units and devices designed to detect persons for safety
reasons) and listed them in Annex IV of the Machinery Directive (see Appendix G for a
complete listing).
Manufacturers of machinery and/or devices listed in Annex IV have two paths to choose
from to obtain CE marking.
1) If the manufacturer has fully complied with EHSRs and all relevant standards and is
confident of compliance, the manufacturer must either:
• Send a TF to a Notified Body who will A) acknowledge receipt of the file and keep it,
or B) verify that the standards are correctly applied and issue a “certificate of
adequacy” to that effect. Note that in the case of the former, the Notified Body does
not assess the file; it merely keeps it as reference.
4 • Or, submit an example of the equipment to a Notified Body for an EC-type
examination. If the manufacturer has correctly applied the applicable standards,
the Notified Body will issue a EC-type examination certificate.
2) If the manufacturer has not fully complied with the EHSRs and relevant standards,
or if no relevant standards exist for this type of machinery, the manufacturer must submit an
example of the equipment to a Notified Body for an EC-type examination (see Appendix E for
a list of information OEMs need to submit for an examination). If the manufacturer has correctly
applied the applicable standards, the Notified Body will issue an EC-type examination certificate.
54
Most manufactures can self-certify conformity with the Machinery Directive.

4.6
requirements of applicable sections of Annex I 4
CE Marking
Having developed the TF, drawn up a DOC and, if required, passed an EC-type
examination, the machinery manufacturer may now legally affix CE marking to its product.
CE marking consists of the symbol shown in Figure 4.
If the marking is reduced or enlarged, the proportions given in the drawing below must be
maintained. Usually the minimum vertical dimension may not be less than 5 mm, but this may
be waived for small-scale machinery.
1 unit 1 unit
3 units
7 units
3 units 55
1 unit
17 units
Fig. 4.0 CE marking symbol and its proportions.

5
CHAPTER
Safety Category Requirements
Why include safety and safety-related components? . . . . 5.0
Well-tried components and design principles. . . . . . . . . . 5.1
Direct opening action contacts . . . . . . . . . . . . . . . . . . . . 5.2
Positively driven contacts . . . . . . . . . . . . . . . . . . . . . . . . 5.3
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4
Normally energized circuits . . . . . . . . . . . . . . . . . . . . . . 5.5
5 Chapters 1 through 4 of this handbook guided readers through the logistics of obtaining
CE marking. Now, chapters 5 and 6 will provide information that shows readers how to select
and apply control-related products while considering requirements of the directives and
standards. Specifically, chapter 5 focuses on the design of safety-related control products,
as well as the safety categories introduced in section 3.10. Chapter 6 focuses on the electrical
safety of control components.
5.0
Why include safety and safety-related components?

Safety components are included in the Machinery Directive — even though they do not
fit the definition of machinery — because there is an important relationship between safety
components and machinery.
The definition of safety component is “...a component...which the manufacturer or his
authorized representative places on the market to fulfill a safety function when in use and
the failure or malfunctioning of which endangers the safety or health of exposed persons.”
Further clarifying this, “A component can be classified as a safety component only if:
1) its omission can endanger the safety or health of a person and 2) the machine could
function without them.”
In other words, to be a safety component, the component must have a specific safety
function, rather than an operational one. For example, safety relays and two-hand controls
58 are safety components. A machine could equally be operated by other types of components;
the safety relays and two-hand controls, as applied by the manufacturer, specifically function
to help prevent accidents. Annex IV of the Machinery Directive requires third-party
certification for logic units, such as safety relays, and for electrosensitive devices designed to
detect and safeguard persons, such as light curtains. However, components generally used in
the safety-related parts of control systems, such as gate interlock switches and emergency stop
pushbuttons, do not need third-party certification under the Machinery Directive and they are
not Annex IV listed.
To minimize risk in case of failure (or put another way, to help ensure the availability of the
safety function), the EU standards provide guidance for the design and use of safety components.
5.1
Well-tried components and design principles

Categories 1 through 4 for the safety of control systems require the use of “well-tried
components and principles.” Some of these are:
5
• Direct opening action contacts (positive opening operation); this applies to break
contacts (normally closed contacts)
• Positively driven contacts; this applies to devices with make and break contacts
(normally open and normally closed contacts)
• Anti-tease features for emergency stop buttons
• Redundancy, diversity and combination of positive and negative modes
• Normally energized circuits for safety functions
5.2
Direct opening action contacts

EN 60947-5-1, which covers electromechanical control circuit devices and switching
elements, defines direct opening action as “the achievement of contact separation as the direct
result of a specified movement of the switch actuator through non-resilient members (e.g., not
dependent upon springs).”
Direct opening action devices couple operating force to the contacts so that the force breaks
open contacts that may have welded together (see Figure 5.0). They do not use a spring interface 59
because a spring may have insufficient strength to break a weld or it could fail (see Figure 5.1).
Direct opening action designs are required for disconnect switches, emergency stop
switches, safety limit switches, cable pull safety switches and safety gate interlock switches
(see Figure 5.2 for some examples). These products will have the symbol for direct opening
action on them, shown like this:
5
Contact welded
Direct opening action or "positive opening" Welded contact forced open
Fig. 5.0 Direct opening action assures safe E-Stop functions.
Contacts welded
60
Spring force insufficient Broken spring - contacts

to break weld fail to open
Fig. 5.1 Potential failure modes of “negative opening” contacts.

5
Machine operating Machine stopped
Key In Place
Contacts
Contacts
Welded
Welded
61
Key Removed
Weld
Forced Open
Fig. 5.2 Direct opening action helps assure separation of contacts.

5 5.3
Positively driven contacts

EN 60947-5-1 defines positively driven operation as “an operation which is designed to
ensure that contacts of a mechanical switching device are in the respective positions
corresponding to the open or closed position of the main contacts.”
A draft document of prEN 50205 — “Relays with positively driven contacts” — defines
them as “all-or-nothing relays with a combination of make contacts and break contacts” where
mechanical links ensure that if a Normally Open (NO) contact is closed, then the Normally Closed
(NC) contact cannot re-close (see Figure 5.3). If one of the NC contacts stays closed, none of the
NO contacts closes. Many standard relays and all safety relays use this technology.
Under all operating and fault conditions, a positively driven relay must have a contact gap
of 0.5 mm for single-break contacts and 2 x 0.3 mm for double-break contacts (the gap helps
prevent arcing from the stationary contacts to the spanner).
0.5 mm minimum
NO NO (single contact)
or
Contact A 2 x 0.3 mm minimum
Linked contacts Mechanical link (double contact)
NC NC
Contact B welded
Positively guided contacts do not allow If contact B welded,

62 simultaneous closure of the NC and NO contacts. then contact A stays open.
Fig. 5.3 Positively guided relays.

5.4
Anti-tease features
Clause 6.2.1 of EN 60947-5, which covers E-Stops, states that “it shall not be possible for
the emergency stop device to latch-in without generating the emergency stop signal.... In case
5
of failure, the emergency stop device, the generation of the emergency stop signal shall have
priority over the latching means.”
In addition, clause 4.1.1 of EN 418 states that “any action on the actuator which results
in generating the emergency stop command shall also result in the latching-in of the control
device so that when the action on the actuator is discontinued, the emergency stop command
shall be maintained until the control device is reset (unlatched).”
These standards require IEC-style E-Stops to provide a means whereby the device’s
operator will never be in a latched-in state without the normally closed contact opening.
Further, if the contacts are welded or obstructed from opening, the operator should not be
allowed to latch.
By convention, manufacturers have used a feature called trigger action to achieve this.
Trigger action describes an operator that has a point of no return in its travel, after which the
contacts move through their full stroke. Some gate interlock switches also employ a similar
“point of no return” feature, and these interlocks are said to be of a “snap acting” design.
5.5
Redundancy 63
Using devices with different operating principles or using more than one device to perform
a control function increases circuit reliability. This is called redundancy, and it is a good design
practice that can fulfill category 2 and 3 functions for the safety of control circuits.
Figure 5.4 shows a sliding guard which closes off gears. Notice how it helps avoid failures
of the same kind by combining a limit switch with a positive mode NC contact with a second
limit switch that has a negative mode NO contact.
5 Moving guard
S1 S2
Negative Mode Positive Mode
Machine operating (guard closed) Machine stopped (guard open)
Fig. 5.4 Limit switches operating in combined mode.
5.6
Normally energized circuits

A well-proven principle for safety circuits is to make them function when the electric
64
supply is interrupted (e.g., loose connections, wire breakage, brown-out, etc.). Normally
energized circuits detect power loss and ensure that the safety function remains intact.
Examples of these types of circuits are electrically operated brakes, emergency stop circuits
and the output relays of electronic motor protection relays. By executing the safety function
(i.e., removing power) after detecting a single fault, normally energized circuits can help fulfill
Category 2 and 3 safety requirements.
Devices such as E-Stops, limit switches, safety gate interlock
switches and cable pull safety switches use direct opening action
principles, which is required under EN 60947-5-1. These well-
tried components are used in control systems with performance
requirements from category B to 4.
Safety gate interlock switch

Cable pull safety switch
5
Limit switch
E-Stop
Safety relay — integrated box design
65
Safety relay — three interwired relay design
Safety relays use positively driven contacts to help prevent the

simultaneous closure of NO and NC contacts, which is required
under EN 60947-5-1. These well-tried components are most often
used in control systems meeting category 3 and 4 requirements.
5 5.7
Control circuits and performance categories

This section of chapter 5 reviews the category requirements, then illustrates control
circuits that can fulfill these requirements. Please note that these examples are provided
for educational purposes only, and that control circuits using other designs may also fulfill
performance requirements.
B 1 2 3 4
• State of the art components X X X X X
• Well-tried components or principles X X X X

• Check safety functions
at suitable intervals X
• No loss of safety function
through single fault X X
• Detection of single faults
or X
• No loss of safety functions
through accumulation of faults X
Fig. 5.5 Safety category requirements; note the cumulative nature of the requirements.
66
5.8
Category B and Category 1

Category B has no specific requirements beyond recommending the use of state-of-the-art
components. Category 1 and all higher categories require the use of well-tried components and
principles. It focuses on the prevention of faults through the use of well-designed components.
Figure 5.6 shows the circuitry associated with a control relay. The elements of the system
include an E-Stop, an On/Off pushbutton, a control relay (contactor), a motor starter (or other
load) and an overload relay. Because the E-Stop is relatively simple and tends to operate
reliably, the chance of failure leading to a dangerous condition is probably minimal (assuming
24V
+V
On/Off
5
pushbutton CR
CR M OL
Fig. 5.6 This control circuit can fulfill category B requirements.
24V
+V
E-Stop Stop Gate Interlock Start CR
67
CR
CR Pusher Controls M OL
Fig. 5.7 This control circuit can fulfill category 1 requirements.
NOTE: These diagrams conform to NEMA style. For an IEC version, please refer to Appendix H.
5 it has been applied properly). Further, assuming
the E-Stop is of the direct opening action type, its
normal failure mode is in the
open circuit mode. If the contacts are tack welded
shut, they should be forced open on actuation,
Designer’s Discretion
Machine designers must use

their own discretion — after making
a risk assessment — when
identifying categories and specifying
safety functions and components.
Remember, the directives and
removing power. standards do not specify which
Although the conventional relay illustrated safety aspects designers shall use;
they just provide guidance.
in figure 5.6 has no open circuit failure mode,
reputable manufacturers produce relays that tend
to operate reliably (experience indicates that they
rarely weld in the closed state). If the risk
assessment is low — say a slow moving conveyor
— using a conventional relay may be acceptable.
If the risk assessment indicates category 1 —
perhaps the operator needs to be shielded from an
arm pushing products onto the conveyor — the
designer must take additional precautions. Such
precautions could include a moveable guard (which
would use a gate interlock switch) and three-wire
control (i.e., an auxiliary holding contact).
Figure 5.7 shows a circuit diagram for
68
incorporating a gate interlock and three-wire
control. The safety interlock removes power from
the system when the guard is opened, disabling
the pusher arm. The three-wire control is designed
so that after a power loss, the start button must
be pushed to restart the system. This protects the
operator from accidental or unexpected motion
if the power were to come back on while the
operator was in the hazard zone.
5.9
Category 2
From category 2 upward, the higher degree of safety results from the structure of the safety
circuits and the prevention and detection of faults (i.e., not only the choice of components).
5
This category requires a check of the safety function at suitable intervals; e.g., at the
beginning of each operation cycle, upon start-up, or at established times during the cycle
(it is the manufacturer’s responsibility to specify an appropriate interval). If a fault is detected
during start-up, the machine must be prevented from starting. If the safety function is lost
during a cycle, the loss must be detected at the next start-attempt.
Circuits for category 2 machinery — perhaps a pick-and-place robot has been added
to a fast moving conveyor — must focus on fault prevention. Two fault prevention techniques
include adding redundancy and using contactors with normally energized output circuits.
Figure 5.8 shows the circuit diagram of a redundant system. When the start button is
pushed under normal operating conditions, current will flow through the NC contacts CR1(a)
and CR2(a), energizing output coils CR1 and CR2. Then contacts CR1(b) and CR2(b) close
and maintain current flow; the NC contacts CR1(a) and CR2(a) drop out. If one of the contacts
welds during operation (e.g., CR1(c)), it is still possible to remove power from the load using
the E-stop. A restart would not be possible because the NC contact CR1(a) would remain in an
energized (i.e., open) state.
This fulfills category 2 requirements because the safety function is checked at the start of
each cycle. It also can fulfill some category 3 requirements because a single fault will not 69
cause the loss of the safety function.

5 Gate
Fig. 5.8 This control circuit can fulfill category 2 requirements.
5.10
Category 3 and category 4

As noted earlier, category 3 requirements state that the safety function cannot be lost
as the result of a single fault. Where practical, a category 3 system will detect a single fault,
but an accumulation of faults can lead to the loss of the safety function.
To satisfy category 4 requirements, all previous requirements must be met, plus a single
70 fault must be detected at or before the next demand on the safety function. If this is not
possible, then an accumulation of faults must not lead to a loss of the safety function. Thus,
a fault will not cause the loss of the safety function, and there is an opportunity for repair
before the next fault can occur.
There are a number of methods to satisfy category 4 requirements, including interwiring
three positively guided relays, or using a “safety relay.” A safety relay incorporates the same
circuitry and three interwired relays, but consolidates them in an “integrated box” design. Both
designs feature a redundant, self-monitoring circuit with positively guided, normally energized
relay contacts.
To achieve redundancy and self-monitoring, a safety relay (see Figure 5.9) operates using
the following principles:
Normal operation: When the E-stop is pulled up, power flows through CR3(a) and
CR1(b), energizing the coil CR2. When this coil is energized, the NO contact CR2(c) closes,
5
which energizes coil CR3. NO contact CR3(b) closes and holds the coil CR3 energized. At
the same time, CR2(a) and CR2(b) close. CR2(b) holds in the coil CR2. The device is now
“armed and ready.”
When the operator pushes the start button power flows, NO contact CR2(a) closes and
energizes coil CR1. CR1(a) closes to hold in CR1. Then, the NC contact CR1(b) opens and
disconnects power from coil CR2. The final state is: coil CR1 on, coil CR2 off, and coil CR3
on. This condition allows the contacts of the output line [CR1(d), CR2(d), CR3(c)] to be closed
and the load energized.
Start button welded (fault): If the start button is welded (i.e., held energized) prior to
rearming of the system via the E-Stop, coil CR2 will not energize because the circuit is never
complete in the rung with CR3(a) and CR1(b). If coil CR2 cannot energize, it is not possible
to pull in coil CR3 because CR2(c) will not close.
Output CR2(d) welded (fault): After rearming the system via the E-Stop, power flows
and picks up coil CR2. The welded contact, CR2(d), will attempt to change state. If the weld
does not break, the NO contact of CR2(c) will not close, thus coil CR3 cannot energize and
the system cannot be started again. Likewise, if CR1(d) welds, CR1(b) will be held open. If
CR3(c) welds, CR3(a) will be held open. Both situations prevent coil CR2 from energizing,
71
so the system cannot be rearmed.
E-Stop failure: If the lower E-Stop fails (one contact remakes and one does not, or the
spanner breaks), coil CR3 will not energize. If the upper E-Stop fails, coils CR2 and CR1
will not energize.
Machine designers can use safety relays to help safeguard human interaction with
dangerous equipment. As such, circuits for operator interfaces — palm buttons, pull cords,
light curtains and similar devices — are tied into the safety relay circuit.
One classic example of a machine requiring category 4 safety precautions is a large,
hand-fed metal stamping press. To ensure that the operator’s body and hands are out of the
hazard area during operation, the press uses two-hand control for actuation.
5 To wire in the relays for the two hand control (or cable pull switch, light curtain, etc.), put
two NC contacts in the circuit just prior to CR3(a); that is, replace the jumper. If one of the
two relays welds in the energized position, the safety relay will detect failure and prevent the
machine from starting.
Note that the objective of the two-hand control/safety relay combination is not to detect a
failure while the machine is running (if something fails at this stage, the operator will know it).
Rather, if a single contact or an entire relay fails, the multiple, redundant relays in the load
circuit are designed so that the load can be de-energized, and the self-monitoring circuit
prevents a restart until the fault is corrected.
72 Jumper
Fig. 5.9 This control circuit can meet category 4 requirements.
Note: In order to minimize the potential for shorting of channel 1 to channel 2, which would not be detected
by the circuit, the wiring should be installed in separate conduits.
6
CHAPTER
Safety Concerns for
Power-Related Products
Operational functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.0
Contact reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1
Multiple fault detection. . . . . . . . . . . . . . . . . . . . . . . . . . 6.2
Motor protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3
Safe separation of circuits to avoid electrical shock. . . . . 6.4
Protection against electric shock . . . . . . . . . . . . . . . . . . . 6.5
Protection against indirect contact. . . . . . . . . . . . . . . . . . 6.6
6 6.0
Operational functions
The European Norms provide both broad guidance and great detail on safety functions
“which are safety critical functions other that safety-specific* functions” — that is,
components which provide critical operational functions. According to EN 60204-1, this
includes products such as power supply disconnecting devices, enclosures, power circuits,
control circuits and motor overload protection. Properly applying these devices, according to
EN 1037, helps assure proper start-up, prevent unexpected start-up, and isolate the machine
from its energy supply to enable safe maintenance or other work.
As with the safety components discussed in chapter 5, there are numerous well-tried design
principles manufacturers should look for when selecting power-related safety components.
Some of these principles are:
• Contact reliability
• Multiple fault detection
• Short-circuit protection for safety
• Safe separation of circuits for avoidance of electrical shock
• Protection against electric shock (“finger proof ”)
• Protection against indirect contact
* Recall that the products discussed in the previous chapter provide safety-specific functions (e.g., the primary
purpose of a cable pull switch is to serve as a safety-stop device, not as a routine stop button).
6.1
76
Contact reliability
Many control circuits operate at 24V DC levels, which is common for PLC systems
and other electric controls. The contacts of power devices like contactors, circuit breakers or
switches, as well as the contacts of relays and sensors, have to work reliably at these signal
levels. The same contacts must perform reliably at conventional loads with high AC-15 ratings.
Devices using “cross stamped” and “H bridges” (see photo on next page) perform excellently
under these conditions and improve reliability and safety control circuits.
6
Cross stamped (left) and H bridge contacts.
6.2
Multiple fault detection

The EU standards suggest incorporating different types of safety functions to avoid
hazards. As an example, a high-end motor protection device offers a number of functions
to avoid hazards at an early stage.
Besides overload and short circuit protection, motor protection relays offer stalling
protection and underload protection. Stalling protection prevents mechanical parts from breaking
by very quickly switching off the motor when it senses excessive torque (i.e., it could avert the
breaking of mechanical parts that, if they broke, might endanger persons nearby). Underload
protection responds to situations where the failure of mechanical transmission elements or part
breakage (e.g., a drill bit, chain, pulley, etc.) could lead to dangerous situations.
6.3
77
Motor protection
Motor starters (motor protection) are available with short-circuit coordination levels of
Type 1, Type 2 and CPS. The contactor and overload relay are tested with appropriate short
circuit protective devices, typically fuses or a circuit breaker, to determine the coordination
levels. After a short circuit, an interruption of service is unavoidable while the source of the
failure is traced and cleared. However, the type of coordination will determine the length
of the interruption (see Figure 6.0).
6 • Trace and clear failure
after short-circuit
Type "1"
X
Type "2"
X
Type "CPS"
• Inspect starter
• Exchange components X
• Break-off welded
X
contacts if any
• Restart operation X X X
• Planned maintenance X X X
Fig. 6.0 Short-circuit coordination levels for motor starters.
After a short circuit with Type 1 coordination, the starter components (contactor, overload,
motor protection circuit breaker) may be defective and need replacing. A restart is only possible
after replacing starter components, which could take some time if the components are not
immediately available.
Type 2 coordination ensures that the starter components stay serviceable after a short
circuit (the contacts may weld slightly, but they can be separated with a screwdriver). No
replacement parts are needed before restarting the machine.
Type CPS (IEC 947-6-2, Control and Protective Switching devices, CPS) coordination
devices ensure that the starter components stay serviceable after a short circuit, that no
replacement parts are needed before restarting the machine and that the starter will deliver
additional operations at rated load without any inspection of components. [Note: While Type 2
78
and Type CPS allow component replacement, the components eventually require replacing
because short circuits cause heavy contact wear.]
Correctly coordinated motor starters — regardless of their type — ensure that in case of a
short circuit, no damage occurs outside the starter. This contributes to the protection of nearby
personnel and control components.
In addition, many circuit breakers and fuses for motor protection offer high current limiting
capabilities to reduce fault energy to very low levels. These lower energy levels reduce the
danger to personnel and damage to surrounding equipment. This enables short restart times,
particularly when short circuit coordination Type 2 or Type CPS is chosen. Further, devices
with high current limitation do not require oversizing of the contact to achieve Type 2 or Type
6
CPS coordination.
6.4
Safe separation of circuits to avoid electrical shock

PELV and SELV (types of Extra Low Voltage, operating on a maximum of 25V AC or
60V DC) are used to avoid the hazard of electric shock. The PELV/SELV voltage is supplied
from a source with an increased safety level, such as from a safety isolating transformer where
one side of the circuit is connected to protective earth. All PELV/SELV circuits must be
separated from other circuits with the level of separation of a safety isolating transformer.
Safe separation between the power and the control circuit is shown in Figure 6.1.
Insulating barrier
PELV 1 PELV 2
79
Starter coil
Fig. 6.1 Safe separation between main and logic circuits.

6 PELV/SELV allows technicians to work on 24V circuits (e.g., PLC circuits) without
needing protective measures against electric shock.
Thus, control circuit devices (e.g., contactor coils and auxiliary contacts) operating in
PELV/SELV circuits require a higher level of physical separation between the main circuits
and the control circuits (see Figure 6.2). This can be achieved by reinforced insulation. The safe
separation of circuits must be maintained under all conditions. Devices with safe separation
preclude the need for interposing relays and contribute to a lower cost control system.
Insulating barrier
Magnet
80
Fig. 6.2 PELV and SELV contactors provide safe separation between circuits.
6.5
Protection against electric shock

EN 60204-1 standard requires that persons are protected against electric shock from direct
contact and indirect contact. Protection against direct contact can be accomplished by placing the
6
electrical equipment in a proper enclosure. The standard indicates three ways to achieve protection:
• The enclosure can only be opened with a key or tool, or
• The door is interlocked with the disconnector, or
• All live parts are protected to IP2X or IPXXB.
Key or tool opened: This assumes that only qualified persons will open an enclosure
containing live electrical equipment. The person doing so must follow the proper safety
procedures, such as disconnecting power to the enclosure, before working on it.
Interlocked: The enclosure door may be opened only after the disconnector (handle)
is in the open position. The disconnector must disconnect all electrical power to the enclosure.
The line side terminals of the disconnector must be protected from accidental touching,
which sometimes is stated as being “finger proof.”
IP2X or IPXXB level: If the requirements above are not met (i.e., the enclosure cover has
a handle that anyone can open), the live parts must be protected to IP2X or IPXXB level. The
explanation for these designations is in the IEC 529 standard, “Degrees of protection provided
by enclosure.” A simple explanation for these requirements is that a test finger shall not touch
live parts.
An alternate protection is completely enclosing all live parts in an insulating material.
In practice, this is possible only if the enclosure contains just conductors. 81
6.6
Protection against indirect contact

This protection is required in the event of an insulation failure between live parts and
exposed conductive parts of electrical equipment. It can be accomplished by preventing
hazardous touch voltage or automatic disconnection, as noted in clause 6.3 or EN 60204.
6 One choice for preventing hazardous touch voltage requires the use of circuit breakers or
fuses to automatically disconnect the circuit in case of a short circuit. Connecting of exposed
conductive parts to a protective earth (grounding) is required.
Another choice for preventing hazardous touch voltage require Class II equipment (double
or reinforced insulation) per IEC standard 536. If one insulating system fails, the other
insulating system provides full protection against electrical shock. Alternately, preventing
hazardous touch requires using assemblies having total insulation per IEC standard 439-1
or using supplementary or reinforced insulation per 413.2 of IEC standard 364-4-41.
Control and load switch, which could be applied

IEC Contactor with IP as a hand-operated disconnect or as an Emergency
2LX finger protection Stop when using the red actuator (as shown).
against accidental contact
with live components.
82
Manual motor starter with

magnetic trip and bi-metallic
overload protection. When
properly applied with the
contactor shown on the left, it
provides Type 2 coordination.
The hazardous touch voltage can be avoided by electrical separation per 413.5 of
IEC standard 364-4-41, too. Further, it can be avoided with a construction where, in case
a live part comes in contact with an exposed conductive part, the contact will not create
hazard. An isolating source, like an insulating transformer which is not grounded, or other
measures stated in the standard, provides this type of protection. The voltage is limited to
6
500V in these circuits.
Electronic motor manager —

an electronic overload
protection relay with
communications capability.
83
Electronic overload relay —

provides Type 2 coordination when
properly applied with the contactor
shown on the facing page.
7
CHAPTER
Frequently Asked Questions (FAQs)
7 Big Picture FAQs
1. What do the EU directives address?
Three basic areas: 1) Safety of individuals; 2) Protection of the environment; and
3) Free movements of goods within the EU/EEA geographical regions through
harmonization of standards and the elimination of trade barriers.
2. Since these are European standards, isn’t it best to use European

manufactured components?
No. There are a significant number of non-European manufactured products which
comply with all aspects of European standards. Further, a larger variety and better
products may be available if designers do not limit their selection to any one region.
3. Do I need to have a third-party inspect my machine to obtain CE marking?

Most machinery manufacturers — about 95 percent — can self-certify compliance
with the Machinery Directives. A few product categories (i.e., high-risk machinery like
punch presses, saws, etc.) require third-party certification. However, note that meeting
EMC Directive requirements often involves a third party.
4. Do I need to buy components with additional safety on them besides CE marking

(e.g., the German “GS” safety mark or Danish “Demko” mark)?
No. Any product bearing CE marking is held out to meet EU safety requirements.
5. Do I need to use components with CE marking on them to meet Machinery

Directive requirements?
This is an “apples to oranges” comparison. CE marking on a component indicates compliance
with an EU directive that applies to components, such as the Electromagnetic Compatibility
(EMC) Directive or Low Voltage (LV) Directive. The Machinery Directive has requirements
86
for controls and safety components (e.g., “must use positively guided contacts”), and these
are an entirely separate set of concerns from the EMC and LV Directives.
6. What is the difference between the LV and EMC Directives?

The Low Voltage Directive covers electrical equipment between 50 - 1000V AC and
75 - 1500V DC. The Electromagnetic Compatibility Directive covers electrical equipment
which emits or is influenced by certain types of electromagnetic radiation.
7. If all components in my control panel are CE marked, is my machine automatically
CE certified?
No — absolutely not. Component installation must be verified, and there are other
requirements that apply to the entire assembly. For example, using a safety relay with CE
marking has nothing to do with whether you’ve properly guarded against a dangerous motion.
7
Secondly, there is no such thing as “CE certified” or “CE approved.” Machine builders
must “comply with” or “show conformity to” to the Machinery Directive, any other
directives that apply, and any harmonized standards they choose to use to show conformity.
8. What relationships are there between EU directives and CE marking?

The directives state the EU law, while CE marking indicates that the product meets
the directives applicable to it. To find out which directives apply to a product, examine
its Declaration of Conformity (DOC).
9. Are directive requirements equivalent to UL standards?

No. Directives are laws of the European Community, where UL standards are standards
put forth by a company.
10. What are “harmonized” and “national” standards? How do they impact my efforts
to be compliant with the EU directives?
The European Norms are harmonized standards, which means that they are applicable
in, and recognized by, all EU countries. Showing conformity with harmonized standards
is considered the easiest way to demonstrate compliance with the EU directives.
National standards are standards within a country that are singular to that country, and
they may differ from the harmonized standards. National standards have no impact on
complying with the EU directives. 87
11. What is the relationship between the Machinery Directive and OSHA requirements
for safety? Does having one mean you comply with the other?
The EU directives and OSHA requirements are independent of one another, so having
one does not mean that you comply with the other. If you want to sell your machine in
both the EU and the U.S., you need to understand both sets of requirements.
7 12. Will the Machinery Directive ever displace OSHA or ANSI design guidelines?
No, because the electrical codes and installation requirements differ between North
America and Europe. However, they are getting closer over time.
13. Does CE marking or the DOC certify compliance with the no PCBs/no asbestos
requirement of Europe?
The use of asbestos is covered by one of the Marketing Directives and Use of Dangerous
Substances Directive. Where asbestos is used, these directives apply. These directives do
not mandate CE marking, but a machine bearing CE marking must meet their requirements.
14. What impact do the EU safety directives have on equipment built in, and destined
for, the U.S.?
Legally, the directives have no impact on the U.S. In practice, however, manufacturer’s
may try to build one piece of equipment that satisfies both EU and U.S. requirements
to improve manufacturing efficiency.
15. How do I self-certify my machine to obtain CE marking?

Start with this safety handbook and follow the road map provided. Obtain the directives
and standards that apply to your machinery and thoroughly digest and apply them (this
point cannot be overstated). Ultimately, you must be able to prove (if called upon to do so)
to an authorized body that you have met the Essential Health and Safety Requirements in
Annex I of the Machinery Directive.
16. Where do I get the necessary documentation related to CE marking my machine?

Section 2.3 of this handbook provides sources for purchasing the directives and standards.
17. Can I use Rockwell Automation to get my machine CE marked?

No. Only a machine’s manufacturer can apply CE marking to the machine. A
88
common misconception is that a Notified Body can CE mark a machine. A Notified Body
assesses whether the manufacturer has adequately satisfied the directives/applied the
standards appropriately, taking the burden of proof off the manufacturer.
18. What are the costs involved with complying with the Machinery Directive?
Theoretically, there should be no additional manufacturing cost, as safety is an integral
component of the design process. Realistically, the directives require more documentation
than most companies normally develop.
7
19. How do I assess my risk category?
EN 1050 provides principles for risk assessment and examples of hazards. Annex B of EN
954 provides a flow chart for assessing risk and assigning categories. See chapter 3 of this
handbook for more details.
20. How do I know if my risk assessment is accurate? How do I know when I’m done?
EN 292-1 and EN 292-2 discuss risk in great detail, and Annex B of EN 1050 covers
methods for analyzing hazards and estimating risk. Figure 3.1 in this handbook depicts
the strategy for selecting designed-in safety measures and indicates when you should
ask yourself “Is safety adequate?”
21. Isn’t it easier to just make everything risk category 4?

No. First, why make a machine more complicated and expensive than necessary? Second,
the ultimate objective is to offer a machine which functions reasonably safely. Thus, a
well-designed machine using highly-reliable components and a well-designed category 1
control system could perform better than, and satisfy reasonable safety expectations as
well as, a machine with a category 4 control system.
22. Who can help me evaluate my machine?

Numerous companies and organizations provide this service. Many of them originated
in Europe. Also, some organizations specialize in a specific class of machinery.
23. Do I need to hire a consultant?

89
The choice is yours. If a manufacturing company feels it does not possess or cannot
acquire the necessary expertise in-house, a consultant may prove valuable.
24. Can Rockwell Automation recommend a Notified Body?

Rockwell Automation does not endorse any particular Notified Body; also, the list of
Notified Bodies changes frequently. However, searching the Internet is a good place to
start. The FEM brochure noted in section 3.2 of this book lists Notified Bodies, and
consultants also can provide recommendations.
7 25. Can manufacturers do testing on site (e.g., tests related to the Low Voltage and
EMC Directives)?
Yes. However, manufacturers may not possess the necessary test equipment. In such a
case, they often turn to a third party or independent laboratory to perform the test.
26. Are the EU directives spreading to other countries (i.e., Australia)?

No. The directives are laws specific to the EU. The European Norms, most of which
are based on IEC standards, naturally resemble standards used by many countries.
27. What standards address which products? Do the standards vary by location?
The list of standards is exhaustive. Appendix B of this handbook provides a short, partial
list of those most likely to relate to machine builders. Section 2.3 of this handbook notes
sources that can provide you with the complete standards list.
For any country requiring CE marking, use the European Norms. IEC or ISO standards
may also be acceptable.
28. What is the penalty for not having CE marking on my machine?

EU customs officials will not allow the machine to enter the market, nor will they permit
such a product to be placed into service in the EU.
29. What is the penalty for failing to comply with the Machinery Directive but placing
CE marking on the machine?
Article 7.3 of the Machinery Directive, a law, states that “where machinery which does
not comply bears CE marking...the Member State shall take appropriate action against
whomsoever has affixed the marking...and shall so inform the Commission [of the EU]
and the other Member States.”
30. How do I minimize my legal exposure?

90
Meet the requirements stated in the directives.
31. How are the standards being enforced?

The EU does not enforce standards; they enforce directives.
Component FAQs
32. When selecting components, is the answer application dependent? Do you need
to apply components differently for different applications?
Yes. Start by asking two questions: What is the function of the entire assembly? How are
7
you applying the component to the assembly? Next, look to the directives and standards
for guidance. By way of example, the stop button and related circuits for a copy machine
differ greatly from the stop button and related circuits for a saw mill or a large
compression molding machine.
33. Do safety relays replace a master control relay?

Yes. Safety relays replace a master control relay (MCR) because they provide functions
an MCR cannot.
34. Why are safety relays needed?

Strictly speaking, machine builders need the function and performance capabilities
of a safety relay, not the product itself.
Safety relays are designed to eliminate the potential for a single contact to cause a failure
that would not allow the system to shut down. This function helps meet risk category 3 or
4 requirements: detection of a single failure, maintenance of the integrity of the E-Stop
function and prevention of a restart until the fault is cleared. A safety relay is really
a combination of several relays wired into a circuit that provides the safety functions
noted above. Remember, the Machinery Directive does not require the use of any
particular product; it specifies function and performance requirements. A safety relay
is a means to this end.
35. Can I just replace my MCR with a safety relay? 91
No. Simply replacing the MCR with a safety relay does not directly correlate with making
the machine comply with the Machinery Directive. The safety relay must be applied
according the relevant directives and standards.
7 36. How do safety interlock switches interface with a safety relay? Are they an input
to the relay or are they a load?
A safety interlock interfaces the same way an E-Stop button interfaces: as an input to the
relay. In some applications, the interlock contacts will be wired in series with the E-Stop.
37. Can I use a standard magnetic switch?

It depends on the application. Provided that its function and design meets the performance
level indicated by the risk analysis, manufacturers can select any component they like.
38. In which application should I use “safety controls”?

An application should use the type of controls needed to make the application as safe
as reasonably possible. Whether you use “safety controls” or not skirts the core issue,
which is to understand what the machine’s risks are and design the machine and its
controls accordingly.
39. Do I have to use a safety relay in conjunction with every electrical safety device,
e.g., safety interlock switch, light curtain, safety mat, E-Stop, etc.?
Not necessarily, as it depends on the application and the control system. The risk
associated with your machine might not require a safety relay. Also, you may not have
to use a separate safety relay with each input device. For example, a safety interlock
switch, light curtain and E-Stop related to the same hazard may be wired in series
to one safety relay.
40. If I have redundant safety input devices, does this eliminate the need
for a safety relay?
No. Redundancy does not deliver the same function as a safety relay.
41. What is the current OSHA ruling on safety relays and switches?
92 Just like the European directives and standards, the OSHA requirements look to a certain
level of performance for the control system. It does not specify products. By design, a
safety relay can help provide the performance OSHA seeks.
Rockwell Automation/Allen-Bradley FAQs
42. What do “positively guided” and “positive break” mean and how do they differ?
Does Rockwell Automation offer products with these features?
Positively guided refers to the electronic actuation of relay contact/auxiliary contact
7
actuation on starters. Positive break refers to the mechanical actuation of devices like
an interlock switch or E-stop button. Chapter 5 of this book provides detail on their
differences.
Rockwell Automation offers a variety of safety components employing these operating

principles.
43. Can customers build their own safety relay using Rockwell Automation
components, and will it be approved?
Yes, they can build their own safety relay using Rockwell Automation components (or any
other components, and using any other design) provided that resulting performance meets
the performance required by the applicable directives. It will be approved if they can prove
compliance with the directives.
44. Can I obtain a list from Rockwell Automation of all its CE marked control
components? What other CE information does Rockwell Automation have?
Yes. Please ask your local Rockwell Automation representative for a list. Information
about our products and the CE mark in general is available on Rockwell Automation’s
Internet site at www.ab.com. Click on the “Allen-Bradley and the CE mark” button.
45. What type of approval does A-B have?

Most Rockwell Automation products of the type discussed in this handbook are covered by
the Low Voltage and EMC Directives. Products meeting these directives bear the CE mark. 93
A Declaration of Conformity statement is available for these products.
7 46. How can I obtain the Declaration of Conformity (DOC) for a Rockwell Automation
product?
If you would like a DOC, ask your local Rockwell Automation representative. The
information is also available on Rockwell Automation’s Internet site at www.ab.com.
Click on the “Allen-Bradley and the CE mark” button.
47. What NEMA designed products will A-B have CE marked?

Various products from each major business group carry CE marking. Please ask your
local Rockwell Automation representative for a list. The information is also available
on Rockwell Automation’s Internet site at www.ab.com. Click on the “Allen-Bradley and
the CE mark” button.
48. Do the new MCS control relays, including Adder Decks, incorporate positively
guided contacts?
Yes.
94
GLOSSARY
Glossary of Terms
ANNEX - An appendix, as might be used with a Council Directive.
ANNEX IV-EQUIPMENT - Machine types which are considered to be particularly dangerous.

Also includes safety components. Such equipment must undergo a more stringent
conformity assessment procedure, including an EC type-examination by a third party.
AUTHORIZED REPRESENTATIVE - Person appointed by the manufacturer to act on its

behalf in carrying out certain tasks required by the directive, which the manufacturer
has delegated to the representative. At this time, the authorized representative must be
established in the European community to be able to act on the manufacturer’s behalf.
It can be advantageous to establish an authorized representative.
CE MARKING (CE mark) - The identifying mark, consisting of the letters “CE” that, together
with an EC Declaration of Conformity, indicates conformity of the product to which it is
affixed to the essential health and safety requirements of the relevant directive(s). Allows
products to be sold anywhere in the EU. CE Marking is mandatory for most products
in the EU. CE stands for European Community in French
CEN, CENELEC - European Committee for Standardization (CEN); European Committee

for Electrotechnical Standardization (CENELEC).
CERTIFICATE OF ADEQUACY - The type of certificate issued when a Notified Body

determines that the applicable national standards have been correctly applied to the
design and manufacture of the machinery under review.
COUNCIL OF THE EUROPEAN COMMUNITIES - The legislative body of the EU.
DECLARATION OF CONFORMITY - A formal signed statement indicating conformity

of the referenced product to the listed provisions of the applicable directive(s). Entitles
manufacturer to affix CE Marking.
DIRECTIVE - Legislation which is binding on all Member States that has been adopted
by the Council of the European Communities.
EC TYPE-EXAMINATION - The procedure by which a notified Body ascertains and certifies

98 that an example (sample) of machinery satisfies the provisions of the applicable directive(s).
ESSENTIAL HEALTH AND SAFETY REQUIREMENTS (EHSRs) - To comply with the

Machinery Directive, machinery must satisfy the essential health and safety requirements
set out in Annex I. The requirements are wide-ranging, and take into account potential
dangers to operators and other exposed persons within a “danger zone.” Aspects covered
in Part 1 include: the materials used in the construction of the machinery; lighting;
controls; stability; fire; noise; vibration; radiation; emission of dust, gases etc.; maintenance;
and instruction handbooks. Part 2 has additional requirements for agri-foodstuffs machinery,
portable hand-held machinery, and machinery for working wood and analogous materials.
Part 3 deals with particular hazards associated with mobility, Part 4 with those associated
with lifting, Part 5 those with underground working and Part 6 those associated with the
lifting and moving of persons.
EUROPEAN NORM (EN; also called a HARMONIZED EUROPEAN COMMUNITY

STANDARD) - Voluntary guidelines (not laws) that clarify and expand on the essential
requirements of the directives. Standards provide the most expedient means of testing
or verifying conformity to a directive. They are developed by CEN and CENELEC. These
organizations have pledged to use international standards (ISO and IEC) whenever possible.
Harmonized standards supersede individual country requirements.
EUROPEAN UNION (EU) - The regional geographic and economic union formed by 15
European nations bound by treaty to form a single European Economic Community.
The countries are (as of January 1, 1997) Austria, Belgium, Denmark, Finland, France,
Germany, Greece, Ireland, Italy Luxembourg, Netherlands, Portugal, Spain, Sweden and
the United Kingdom.
HAZARD - An event that can cause physical injury and/or damage to health or property.
Annex A of EN 1050 provides examples of hazards, hazardous situation and hazardous events.
MACHINERY - An assembly of linked parts or components, at least one of which moves,

which have been combined to process, treat, move or package a material. Also an assembly
of such machines.
MACHINERY DIRECTIVE - EU legislation (law) that lays down the essential health and safety
requirements applying to machinery, as defined in Annex I. It also covers safety components
placed on the market separately.
MANUFACTURER - Person responsible for designing and manufacturing a product covered by

the directive(s), with a view to placing it on the community market. The manufacturer is
responsible for designing and manufacturing products in accordance with the directives 99
and following the certification procedures (declaration, type-exam, CE Marking and
preparation of files).
MEMBER STATES - Those nations that make up the EU.

NOTIFIED BODY - An independent testing laboratory that a Member State has determined
to be qualified to perform testing and certification functions relating to specified EC
Directives. The Member State “notifies” the EC and the laboratory of the laboratory’s
qualified status as tester and certifier.
PERFORMANCE CATEGORIES - EN 954 states that safety-related parts of control systems

shall be in accordance with the requirements of one or more of the five categories (B, 1, 2,
3, 4). The categories state the behavior required of safety-related parts of control systems
with respect to its resistance to faults.
RISK ASSESSMENT (or risk analysis) - From EN 1050, which establishes general
principles and procedures for identifying hazards and evaluating risks as they relate
to decisions made on the safety of machinery.
RISK ESTIMATION - The risk associated with a particular situation or process is derived
from a combination of the severity of harm and the probability of occurrence of that harm.
Probability of occurrence involves the frequency and duration of exposure, probability of
the event occurring, and probability of avoiding or limiting the harm. Based on risk level
(Annex B of EN 954 provides a decision tree), a machine can be required to have control
systems that meet the requirements of a particular safety category.
RISK REDUCTION - Manufacturers must apply the following principles when designing
a machine: eliminate or reduce risks as far as possible; take the necessary protection
measures in relation to risks that cannot be eliminated; and inform users of the residual
risks due to any shortcomings of the protection measures, indicate whether any particular
training is required and specify any need to provide personal protection equipment.
SAFETY COMPONENT - A component, provided that it is not interchangeable equipment,

which the manufacturer or his authorized representative established in the Community
places on the market to fulfill a safety function when in use and the failure of which
endangers the safety or health of exposed persons (i.e., not standard components). Safety
components shall not carry CE marking for complying with the Machinery Directive;
other directives may apply.
SELF-CERTIFICATION - A procedure whereby the manufacturer or its designated

100 representative in the EU can themselves certify conformity of the product to the essential
health and safety of the applicable Directive(s) and to other relevant requirements.
STANDARDS - See EUROPEAN NORM.

TECHNICAL FILE - Documentation required by directives. File compiled by the manufacturer
and placed at the disposal of the national authorities should they so request. Note: the term
Technical Construction File (TCF) is referred to in the EMC directive.
TYPE A STANDARDS - Fundamental safety standards that cover the basic concepts, principles
and general aspects of all machinery.
TYPE B STANDARDS - Group safety standards. They cover one safety aspect, one type of
safety-related device and a wide range of machinery.
TYPE C STANDARDS - Detailed safety requirements for a particular machine or class of machines.
WELL-TRIED - A well-tried component for a safety-related application is a component which

has been widely-used in the past with successful results, or made and verified using
principles which demonstrate its suitability and reliability for safety-related applications.
101
APPENDICES
Appendices
A Appendix A — Select Type B standards
Type B1 and B2 standards (basic safety standards) deal with one safety aspect or one type of
safety-related device for a range of machinery. The following is a brief list (as of March 1, 1997):
General
EN 954-1: Safety-related parts of control systems
EN 953: Design and construction of guards
EN 1088: Interlocking devices w/& w/o guard locking
EN 982, 983: Fluid power systems
EN 294, 349, 811: Safety distances
EN 999: Hand/arm speed
EN 626: Hazardous substances
EN 1093: Emission of hazardous substances from machines
EN 1127-1: Fire and explosions (this work is now part of CEN/TC 310)
EN 1760: (2) Pressure-sensitive protective devices (mats, bumpers, edges, etc.)
Electrical
EN 60204-1: Basic electrical requirements
IEC 1131: Programmable controllers
IEC/CD 1508: Safety-related systems — electrical, electronics, programmable
electronics
EN 418: Emergency stop equipment
EN 574: Two-hand control devices
EN 50100: Electrosensitive protective equipment
EN 61310 (50099): Visual, tactile, and audible signals
EN 60947: Low-voltage switch gear and control gear
Part 1: General rules
Part 2: Circuit breakers
Part 3: Switches, disconnectors, switch-disconnectors and fuse
combination units
Part 4: Contactors and motor starters
Part 5: Control circuit devices and switching elements
Part 6: Multiple function equipment
Part 7: Ancillary equipment
EN 60947-5-2: Proximity devices
104
Ergonomics
EN 614-1:
EN 547:
EN 563:
EN 894:
Ergonomic design principles — terminology & general principles
Human body dimensions
Temperature of touchable surfaces
Ergonomic requirements for the design of displays & control
A
actuators
EN 981: System of danger and non-danger signals with sound & light
EN 1005: Human physical performance (3 parts)
Acoustics
EN 2374X: Acoustics — Determination of sound power levels of noise sources
EN 24871: Acoustics — Noise labeling of machinery and equipment
Electromagnetic Compatibility
EN 50081-2: Electromagnetic compatibility — Generic emission standard —
Part 2: Industrial environment
EN 50082-2: Electromagnetic compatibility — Generic immunity standard —
Part 2: Industrial environment
Vibration
EN 1031: Measurement of whole body vibration — General requirements
EN 1032: Testing of machinery in order to measure the whole-body vibration
emission value — General requirements
105
Appendix B — Electrical equipment of machines
After completing a risk assessment (covered in sections 3.8 - 3.12 of this book), OEMs should
fill out an “Inquiry form for the electrical equipment of machines.” This is reproduced from the
EN 60204-1 standard, where it is designated as Annex B. The form follows the standard, and covers
B
the sections which require special attentions. The purpose of the form is to facilitate an agreement
between the machine manufacturer and the control manufacturer. The form is an excellent guide
to cover all aspects of control product used on machinery and eliminate future disagreements.
Inquiry form for the electrical equipment of machines

It is recommended that the following information be provided by the intended user
of the equipment. It facilitates an agreement between the user and supplier on basic conditions
and additional user requirements to ensure proper design, application and utilization of the
electrical equipment of the machine (see 4.1 of EN 60204-1).
Name of manufacturer/supplier_______________________________________________
Name of end-user _________________________________________________________
Tender/Order no. __________________________ Date ___________________________
Type of machine/serial number _______________________________________________
1. Are there to be modifications as allowed for within this standard? YES ___ NO ___
Operating Conditions - Special requirements (4.4)
2. Ambient temperature range_______________________________________________
3. Humidity range ________________________________________________________
4. Altitude ______________________________________________________________
5. Environmental (e.g. corrosive atmospheres, particulate matter, EMC) _____________
_____________________________________________________________________
6. Radiation _____________________________________________________________
7. Vibration, shock _______________________________________________________
107
8. Special installation and operation requirements (e.g. flame retardant requirements
for cables and conductors ) _______________________________________________
_____________________________________________________________________
B Power supply(ies) and related conditions (4.3)
9. Anticipated voltage fluctuations (if more than ± 10 %) _________________________
10. Anticipated frequency fluctuations (if more than in 4.3.2) ______________________
Specification of short-term value
11. Indicate possible future changes in electrical equipment that will require an increase in
the electrical supply requirements _________________________________________
12. Indicate for each source of electrical supply required:
Nominal Voltage (V) ________ AC ________ DC ________
If AC, number of phases _________ frequency_________ Hz_________
Prospective short circuit current at the point of supply to the machine ________ kA rms
(see also question 15)
Fluctuations outside values given in 4.3.2 ___________________________________
13. Type of power supply earthing:
- TN (System with one point directly earthed, with a protective conductor (PE)
connected directly to that point)__________________________________________
- TT (System with one point directly earthed but the protective conductor (PE)
not connected to that earth point of the system) _____________________________
- IT (System that is not directly earthed) ____________________________________
14. Is the electrical equipment to be connected to a neutral (N) supply conductor?
(5.1) ________________________________ YES _________ NO _________
15. Does the user or the supplier provide the overcurrent protection of the supply
conductors? (7.2.2) _____________________________________________________
Type and rating of overcurrent protective devices _____________________________
16. Supply disconnecting device______________________________________________
- Is the disconnection of the neutral (N) conductor required?
108 YES________ NO________
- Is a link for the neutral (N) permissible? YES _______ NO ________
17. Type of disconnecting device to be provided _________________________________
18. Limit of power up to which three-phase AC motors may be started directly across the
incoming supply lines ________________________________________________kW
19. May the number of motor overload detection devices be reduced? (7.3)
B
YES________ NO________
20.Where the machine is equipped with local lighting:
- highest permissible voltage ____________________________________________V
- if lighting circuit voltage is not obtained directly from the power supply,
state preferred voltage ________________________________________________V
Other Considerations
21. Functional identification (17.3) ___________________________________________
22. Inscriptions/special markings
23. Mark of certification? YES ________ NO _______ If YES, which one? __________
On Electrical Equipment? _______________ In which language? ________________
24. Technical documentation (18.1)
On what media? ___________________ In which language? ____________________
25. Size, location, and purpose of ducts, open cable trays, or cable supports to be provided
by the user (18.5) (additional sheets to be provided where necessary) _____________
26. For which of the following classes of persons is access to the interior of enclosures
required during normal operation of the equipment?
- Skilled persons _______________________________________________________
- Instructed persons_____________________________________________________
27. Are locks with removable keys to be provided for fastening doors
or covers? YES ________ NO ________
28. If “two-hand control” is to be provided, state the type: _________________________
109
B After the inquiry form has been completed (and the risk assessment performed), machine
manufacturers should fill out the “Electrical equipment checklist,” which follows the
EN 60204-1 standard. The checklist has three columns. The Applicable and Not Applicable
columns are filled out as a reminder that these sections of the standard apply to the machinery.
The Approved column is provided for checking. After the control equipment is completed, it
provides a place for the inspectors, or approving persons, to check that the applicable sections
of the standard were properly applied.
ELECTRICAL EQUIPMENT CHECKLIST — based on EN 60204-1

For control panels, with CE marking according to the Machinery Directive, this checklist must be
filled out by marking the Applicable and Not Applicable columns. The purpose of the Approved column
is that the item checked and it is according to the requirement during final inspection.
Customer:____________________________________________ Order No: __________________
Cat No:___________________ Abecos/COPS File: ________________ Date: ________________
Enc. Type: ______________________ Enc. Dimensions (in.):______________________________
Rated Voltage: __________________ Phase: _____________ Hz: __________ DC:___________
204-1 Ref. Description of Standards Not

Applicable Applicable Approved
4.1.0.0.0 Annex B has been completed ■ ■ ■
4.1 Risk assessment has been performed ■ ■ ■

by the customer
4.2.2.3.4 Selection of equipment (List of equipment,

CE marked add DOC, not CE marked ■ ■ ■
TCF number)
4.3 Electrical supply (Standard or Annex B, stated ■ ■ ■

in the instruction manual)
4.4 Physical environment and operating conditions ■ ■ ■
110 4.4.2 Electromagnetic compatibility (EMC), devices ■ ■ ■

not marked with CE, see standard
204-1 Ref.
4.4.3
4.4.4
Description of Standards
Ambient air temperature (+5 to 40° C or

Annex B, stated in the instruction manual)
Humidity (50% at 40° C or equivalent, stated

■
■
Not
Applicable Applicable
■
Approved
■
B
4.4.5 Altitude (up to 1000 m or Annex B, stated ■ ■ ■

4.4.6 Contaminants (enclosure type, IP rating) ■ ■ ■
4.4.7 Ionizing and non-ionizing radiation

(microwave, ultraviolet, lasers, X-rays, etc., ■ ■ ■
see Annex B, stated in the instruction manual)
4.4.8 Vibration, shock and bump (including

machine generated, see Annex B, stated ■ ■ ■
4.5 Transportation and storage (-25° C to +55° C) ■ ■ ■
4.6 Provisions for handling (see also 14.4.6) ■ ■ ■
4.7 Installation and operation (installation ■ ■ ■

drawing required)
5.1 Incoming supply conductor termination

marking (single power source). Multiple ■ ■ ■
power source, see 5.3.1
Neutral conductor, color, marking, terminal ■ ■ ■

marking N (see Annex B)
No connection between N and PE ■ ■ ■
5.2 Terminal for connection to the external

protective earthing system: terminal ■ ■ ■
marked with PE
Terminal size ■ ■ ■
Conductor size, material copper, insulation ■ ■ ■

green-and-yellow
111
Load PE connectors, marking 417-IEC 5019 ■ ■ ■
B 204-1 Ref.
5.3
5.3.1
Supply disconnecting (isolating) device
Disconnect for each incoming source ■

Not
■ ■
■
Approved
5.3.4 Exceptions: lighting circuits for maintenance,

plug and sockets for maintenance,
undervoltage protection, circuits to remain
energized for satisfactory operation, control ■ ■ ■
circuits for interlocking. Excepted circuits
require warning labels and statement in the
maintenance manual
5.3.1 Disconnecting required for: Collector bars ■ ■ ■
Slip-rings ■ ■ ■
Flexible cables ■ ■ ■
On-board power supply ■ ■ ■
For two or more, disconnect interlocks ■ ■ ■

may be required
5.3.2 Type of disconnecting device: ■ ■ ■

IEC 947-3 AC 23B or DC 23B
Disconnector without fuses, IEC 947-3 with ■ ■ ■

interlock to the load switch
Circuit-breaker IEC 947-2 ■ ■ ■
Plug and socket for 16 A or 3 kW max. load, ■ ■ ■

for motors kW or HP rated
5.3.3 Disconnector marked with O and I ■ ■ ■
External operating handle (except ■ ■ ■

power operated)
For an Emergency Stop, the operator handle ■ ■ ■

is red and the background yellow (see 10.7.5)
Means for locking in the OFF position,

112 disconnect all live conductors, switch for ■ ■ ■
motors kW or HP rated
204-1 Ref.
5.3.4
5.4
Handle location between 0.6 and 1.9 m
Prevention of unexpected start-up (disconnect) ■

Not
■ ■
■
Approved
■
B
6 Protection against electric shock 6.2.2 or 6.2.3 ■ ■ ■
6.2.2 Protection by enclosures ■ ■ ■
Top surfaces of enclosures are protected ■ ■ ■

IP4X or IPXXD
All live parts are protected to IP2X or ■ ■ ■

IPXXB, or
Use of key or tool is necessary for access, or ■ ■ ■
Door mounted live parts protected to IP1X ■ ■ ■

or IPXXA, or
All live parts are disconnected before the door

can be opened (defeater allowed). Live parts ■ ■ ■
are protected to IP2X or IPXXB, or
All live parts are protected to IP2X or IPXXB ■ ■ ■
6.2.3 All live parts are completely covered ■ ■ ■

by insulation
6.2.4 Residual voltage discharged to 60 V in ■ ■ ■

5 seconds
6.3 Protection against indirect contact ■ ■ ■

(insulation failure), 6.3.2 or 6.3.3
6.3.2.2 Use of Class II equipment, or ■ ■ ■
6.3.2.3 Electrical separation (see 413.5 of I ■ ■ ■

EC 364-4-41), or
6.3.2.4 Isolated supply (one insulation failure not ■ ■ ■

create danger)
6.3.3 Automatic disconnection in case of ■ ■ ■

insulation failure 113
B 204-1 Ref.
6.4
Protection by PELV
Nominal voltage 25 V a.c. or 60 V d.c. dry

location, or 6 V a.c. or 15 V d.c. and
■
Not
■ ■
■
Approved
One side of the circuit is earthed, and ■ ■ ■
Electrically not connected to other circuits, and ■ ■ ■
Conductors physically separated from other ■ ■ ■

conductors, and
Plugs and sockets are not interchangeable ■ ■ ■

with other voltages
6.4.2 Source of PELV: isolating transformer or ■ ■ ■

battery or other equivalent means
7.2 Overcurrent protection ■ ■ ■
7.2.2 Supply conductors (provided or requirements ■ ■ ■

are in the installation instructions)
7.2.3 Power circuits per 7.2.10 ■ ■ ■
Neutral conductor same as phase conductors ■ ■ ■

no protection required
Neutral conductors smaller than phase ■ ■ ■

conductors see 473.3.2.1 of IEC 364-4-473
7.2.4 Control circuits ■ ■ ■
Directly connected to the supply, see 7.2.3 ■ ■ ■
Supplied through a transformer, required in the ■ ■ ■

non-earthed conductor
7.2.5 Conductors feeding outlets, all non-earthed ■ ■ ■

conductors must be protected
7.2.6 Lighting circuits, all non-earthed conductors ■ ■ ■

must be protected, separately from other circuits
114
204-1 Ref.
7.2.7
7.2.8
Transformers protected per IEC 76-5

and IEC 742
Overcurrent protective devices are located

■
■
Not
■
Approved
■
B
where the conductor is connected to the supply
7.2.9 Short-circuit rating is equal with the ■ ■ ■

available short-circuit current
Availability of fuses ■ ■ ■
7.3 Overload protections of motors more than ■ ■ ■

0.5 kW, where required
Automatic restart shall be prevented ■ ■ ■
7.4 Abnormal temperature protection, ■ ■ ■

when required
7.5 Undervoltage protection, when required ■ ■ ■
7.6 Overspeed protection, when required ■ ■ ■
7.7 Earth-fault protection, when required ■ ■ ■
7.8 Phase sequence protection, when required ■ ■ ■
7.9 Surge protection, when required ■ ■ ■
8.2.2 Protective conductors, cross section per

IEC 364-5-54 or 7.4.3.1.7 of IEC 439-1 ■ ■ ■
(see Table 1), material copper
8.2.3 Continuity of the protective bonding. All ■ ■ ■

exposed conductive parts are connected to PE
8.2.4 In the PE circuit switching devices are ■ ■ ■

not allowed
Links in the PE circuit ■ ■ ■
8.2.5 Connection to PE is not required for ■ ■ ■

conductive parts
115
B 204-1 Ref.
8.2.5
Small sizes, less than 50 x 50 mm
Can not be grasped ■

Not
■ ■
■
Approved
Unlikely to contact live parts (screws, ■ ■ ■

nameplates, electromagnets, etc.)
8.2.6 Interruption of protective circuit possible only

after the live circuits have been interrupted, ■ ■ ■
reconnection is in reverse order (plugs, sockets)
8.2.7 Protective conductor connecting points, ■ ■ ■

see 14.1.1
Identified by PE or 417-IEC-5019 or green- ■ ■ ■

and-yellow
8.5 Bonding to a common earth terminal is

permitted for creating a noiseless earth ■ ■ ■
identified by 417-IEC-5018
8.6 To reduce electrical disturbances low

resistance may be used to PE connection ■ ■ ■
marked with 417-IEC-5020
9.1.1 Control circuit supply shall be a separate

winding transformer, except for a single motor ■ ■ ■
starters with two external control
9.1.2 Control circuit voltage 277 V max. when ■ ■ ■

supplied by a transformer
9.1.3 Control circuit protection per 7.2.4 and 7.2.10 ■ ■ ■
9.1.4 In one side earthed control circuits the control

circuit switching devices connected in the live
circuit, except overload relay contacts and ■ ■ ■
control devices in the same enclosure when
earth fault is unlikely
9.2.2 Stop functions ■ ■ ■
Category 0, uncontrolled stop (see 3.62) ■ ■ ■

116
Category 1, controlled stop (see 3.12) power ■ ■ ■
available during the stopping process
204-1 Ref.
9.2.2
9.2.3
Category 2, controlled stop, power is available

after the stopping process
Operating modes, when more than one and

■
Not
■
Approved
■
B
hazard may result, mode selector with lock ■ ■ ■
may be required
9.2.4 Suspension of safeguards, mode selector with ■ ■ ■

lock is required (see standard)
9.2.5.1 Protective interlocks (see 9.3), prevent

unintended movement in case of power supply ■ ■ ■
fault, battery replacement, lost signal, etc.
9.2.5.2 Start possible after safeguards are in place ■ ■ ■
Are hold-to-run controls required ■ ■ ■
Correct sequential starting (see 3.7) ■ ■ ■
9.2.5.3 Stop (see 9.2.2) function shall override ■ ■ ■

the start function
9.2.5.4.2 Emergency stop ■ ■ ■
Shall override all functions and operations ■ ■ ■
Category 0 or 1 (see risk assessment) ■ ■ ■
Category 0, only hard-wired ■ ■ ■

electromechanical components
Category 1, final removal of power ■ ■ ■

by electromechanical components
9.2.5.4.3 Emergency switching off (see IEC 364-4-46 ■ ■ ■

and Annex E)
9.2.5.5 Monitoring of command actions (hazardous ■ ■ ■

conditions)
9.2.5.7 Hold-to-run controls ■ ■ ■
Two-hand control, see risk assessment ■ ■ ■ 117
Type 1, machine stops when either released ■ ■ ■

B 204-1 Ref.
9.2.5.7
Type 2, both must be released before machine

can restarted
Type 3, the control must be initiated within

■
■
Not
■
Approved
■
set time limit
9.2.5.8 Enabling device, continuously actuated start ■ ■ ■

control, see standard
9.2.6 Combined start and stop controls ■ ■ ■
9.2.7.1 Cableless control (remote, radio, infrared, etc.) ■ ■ ■
Power disconnection required at the operator ■ ■ ■
Prevent unauthorized use the control station ■ ■ ■
Mark on the operator the operated machine ■ ■ ■
9.2.7.2 Control limitation, only the intended

function on the proper machine shall react ■ ■ ■
to remote control
9.2.7.3 In hazardous condition the remote control ■ ■ ■

require an emergency stop device
9.2.7.5 Use of more than one remote operator control

station, only one control station is operable ■ ■ ■
at the same time
9.2.7.6 Battery-powered remote operator control

station, variation in battery voltage shall not ■ ■ ■
create hazard. Low battery warning required
9.3.1 Restoration of interlocked safeguards shall not ■ ■ ■

initiate machine motion
9.3.2 Overtravel limits, required when hazardous ■ ■ ■

condition can occur
9.3.3 Operation of auxiliary functions. Functions

causing hazard shall have interlocks ■ ■ ■
(pressure, etc.)
118
9.3.4 Interlocks required between control elements
which can cause hazardous condition, ■ ■ ■
see standard
204-1 Ref.
9.3.5
When reverse current breaking is used the

motor starting in the opposite direction
shall be prevented, if hazard could result
■
Not
■
Approved
■
B
9.4 Control functions in the event of failure, ■ ■ ■
see risk assessment
9.4.2.1 Use of proven circuit techniques ■ ■ ■

and components
9.4.2.2 Provisions for redundancy ■ ■ ■
9.4.2.3 Use of diversity ■ ■ ■
9.4.2.4 Functional tests ■ ■ ■
9.4.3.1 Earth faults in the control circuit shall not

cause starting, hazardous motion and ■ ■ ■
shall not prevent stopping
9.4.3.2 Voltage interruptions, see 7.5 and memory ■ ■ ■

loss shall not create hazard
9.4.3.3 Loss of circuit continuity in safety circuits ■ ■ ■

shall not result in hazard
10 Operator interface and machine mounted

control devices, devices mounted outside ■ ■ ■
or partially outside the control enclosure
10.1.2 Location and mounting ■ ■ ■
Accessible for servicing and prevent damage ■ ■ ■
Hand-operated control: above 0.6 m ■ ■ ■

and reachable
10.1.3 Enclosure protection, IP rating, ■ ■ ■

minimum IPXXD
10.1.4 Position sensors not damaged by overtravel,

for safety related functions direct acting ■ ■ ■
or equivalent
119
10.1.5 Portable and pendant control stations shall be ■ ■ ■
shock and vibration resistant
B 204-1 Ref.
10.2
10.2.1
Push-buttons
Colors per Table 2 ■

Not
■ ■
■
Approved
10.2.2 Markings IEC 417 symbols 5007, 5008, ■ ■ ■

5010 or 5011
10.3.2 Indicator lights colors per Table 3 ■ ■ ■
10.3.3 Flashing lights allowed ■ ■ ■
10.4 Illuminated push-buttons color coded per ■ ■ ■

Tables 2 and 3
10.5 Rotary control devices mounted to prevent ■ ■ ■

rotation of the stationary member
10.6 Start devices, minimize inadvertent operation ■ ■ ■
10.7 Devices for emergency stop ■ ■ ■
10.7.1 Located at each control station and ■ ■ ■

readily accessible
10.7.2 Types: push-button, pull-cord, pedal operated

(no guard), disconnect switch, positive (direct) ■ ■ ■
operation per IEC 947-5-1 and self latching
10.7.3 Restoration of normal function after ■ ■ ■

emergency stop only after manual reset
10.7.4 Actuators colored red, background yellow, ■ ■ ■

push-button mushroom type
10.7.5 Disconnect may be used when it is readily

accessible and it is according to 5.3.2 type a), ■ ■ ■
b), or c), red operator, yellow background
10.8 Devices for emergency switching off ■ ■ ■
10.8.1 Location as necessary ■ ■ ■
10.8.2 Types: push-button, pull-cord, positive (direct)

120 operation per IEC 947-5-1 and self latching. ■ ■ ■
Glass enclosure allowed
204-1 Ref.
10.8.3
Restoration of normal function after

emergency switching off only after
manual reset
■
Not
■
Approved
■
B
10.8.4 Actuators red, background yellow, ■ ■ ■
push-button mushroom type
10.9 Visual displays visible from the position ■ ■ ■

of the operator
11 Electronic equipment ■ ■ ■
11.2.1 The status of the digital inputs and outputs ■ ■ ■

should be indicated
11.2.2 Equipotential bonding: ■ ■ ■
All input/output, processor, power supply

racks shall be bonded and earthed, ■ ■ ■
see 8.2.3 and exclusions
11.3 Programmable equipment ■ ■ ■
11.3.1 Programmable controllers per ■ ■ ■

IEC 1131-1 and -2
11.3.2 Memory retention and protection per 9.4.3.2 ■ ■ ■
11.3.3 Software verification required for ■ ■ ■

reprogrammable logic
11.3.4 Use in safety-related functions, shall not be ■ ■ ■

used for Category 0 emergency stop function
12 Control gear location, mounting and enclosures ■ ■ ■
12.1 Accessible for use ■ ■ ■
Accessible for maintenance ■ ■ ■
Protected against external influences ■ ■ ■
12.2.1 Accessibility and maintenance: located

between 0.4 and 2.0 m above service (floor) 121
■ ■ ■
level, plugs not interchangeable,
test points marked
B 204-1 Ref.
12.2.2
Physical separation and grouping:
Non-electrical devices are not permitted in the

electrical enclosure, terminals grouped: power ■
Not
■ ■
■
Approved
■
circuits, associated control circuits, other
control circuits (external sources, etc.)
12.2.3 Heating effects, each components remain ■ ■ ■

within permitted temperature limit
12.3 Degrees of protection IP22 minimum ■ ■ ■
12.4.1 Enclosures, doors and openings ■ ■ ■
Captive door fasteners ■ ■ ■
Windows (polycarbonate 3 mm) ■ ■ ■
Doors 0.9 m wide max. ■ ■ ■
12.4.2 Access to control gear per 2.4 of IEC 364-4-481 ■ ■ ■
13 Conductors and cables ■ ■ ■
13.1 Voltage, current, temperature ■ ■ ■
13.2 Conductors, copper, temperature per Table 4,

for frequent movement flexible ■ ■ ■
Class 5 or 6 (Table C.4)
13.3 Insulation, approved ■ ■ ■
13.4 Current carrying capacity in normal service: ■ ■ ■
Temperature in Table 4 is not exceeded ■ ■ ■
Current rating is per Table 5 ■ ■ ■
13.5 Cable voltage drop less than 5% ■ ■ ■
13.6 Smallest cross section per Table 6 ■ ■ ■
13.7 Flexible cables, see standard ■ ■ ■

122
13.8 Collector wires, collector bars and slipring ■ ■ ■
assemblies, see standard
204-1 Ref.
14
14.1.1
Wiring practices
Terminal blocks identified ■

Not
■ ■
■
Approved
■
B
Liquids drain away from flexible wires ■ ■ ■
Crimp connections crimp conductor ■ ■ ■

and insulation
Wiring does not cross over terminal blocks ■ ■ ■
14.1.2 Conductors and cable runs: ■ ■ ■
Avoid splices from terminal to terminal ■ ■ ■
Extra length for termination ■ ■ ■
PE conductors routed with phase conductors ■ ■ ■
14.1.3 Conductors of different circuits may be in the

conduit or cable, insulation for the highest ■ ■ ■
voltage in the group
14.2 Identification of conductors ■ ■ ■
14.2.1 Identified at each terminals, for color coding ■ ■ ■

see standard
14.2.2 Identification of PE conductor is green-and- ■ ■ ■

yellow throughout the length of the conductor
14.2.3 Identification of the neutral conductors, ■ ■ ■

color light blue
14.2.4 Identification of other conductors, power

circuits: black, a.c. control circuits: red, d.c. ■ ■ ■
control circuits: blue
14.3 Wiring inside the enclosure, conductors

supported, non-metallic channels flame ■ ■ ■
retardant, door mounted devices wired with
flexible conductors
14.4 Wiring outside the enclosure ■ ■ ■ 123

B 204-1 Ref.
14.4.1
14.4.2
IP protection at the wiring entrance

is not reduced
External ducts, see standard

■
■
Not
■
Approved
14.4.3 Connection to moving elements of the ■ ■ ■

machine, see standard
14.4.5 Plug/socket combinations: ■ ■ ■
Male plug on the load side ■ ■ ■
Over 16 A retaining type ■ ■ ■
Over 63 A interlocked with a switch type ■ ■ ■
If more than one each identified by marking ■ ■ ■
For control circuits no domestic type ■ ■ ■
14.4.6 Dismantling for shipment: ■ ■ ■
Terminals or plug/sockets required at ■ ■ ■

sectional points
14.5 Ducts, connection boxes and other boxes ■ ■ ■
14.5.1 IP 33 protection minimum, drain holes ■ ■ ■

6 mm dia. allowed
14.5.3 Rigid metal conduit and fittings, see standard ■ ■ ■
14.5.4 Flexible metal conduit and fittings, see standard ■ ■ ■
14.5.5 Flexible non-metal conduit and fittings, ■ ■ ■

see standard
14.5.6 Cable trunking systems, see standard ■ ■ ■
14.5.7 Machine compartments and cable trunking ■ ■ ■

systems, see standard
14.5.8 Connection boxes and other boxes, see standard ■ ■ ■

124
14.5.9 Motor connection boxes shall be used only for ■ ■ ■
conductors going to the motor
204-1 Ref.
15
16
Electric motors and associated equipment,

see standard
Accessories and lighting

■
■
Not
■
Approved
■
B
16.1 Socket-outlet per IEC 309-1 or marked with ■ ■ ■
voltage and current
Unearthed conductors protected ■ ■ ■

for overcurrents
16.2 Local lighting of the machine and equipment ■ ■ ■
16.2.1 On-off switch not in the lamp holder or ■ ■ ■

in the cord
16.2.2 Supply voltage 50 V or less preferred,

not over 250 V, isolating transformer may be ■ ■ ■
required, see standard
16.2.3 Protection per 7.2.6 ■ ■ ■
16.2.4 Fittings (lamp holders) approved, lamp

protected, if out of reach the section ■ ■ ■
does not apply
17 Markings, warning signs and item designations ■ ■ ■
17.1 Supplier’s name or trade mark ■ ■ ■
17.2 Warning signs; for enclosures not clearly

shown to contain electrical equipment, use ■ ■ ■
black lighting flash on yellow background
per 417-IEC-5036
17.3 Functional identification, control devices,

indicators, displays marked per IEC 417 ■ ■ ■
and ISO 7000
17.4 Marking of control equipment: ■ ■ ■
Supplier’s name or trademark ■ ■ ■
Certification mark ■ ■ ■ 125
Serial number (if applicable) ■ ■ ■

B 204-1 Ref.
17.4
Voltage, phases, frequency, full load current
Short-circuit rating ■
Not
■ ■
■
Approved
Electrical diagram number ■ ■ ■
17.5 Item designation (not applicable to a single ■ ■ ■

motor controller)
All components identified with the same ■ ■ ■

designation as on the drawing
18 Technical documentation ■ ■ ■
18.1 Installation, operation and maintenance

information supplied in an agreed language ■ ■ ■
(see Annex B)
18.2 Information to be provided, see standard ■ ■ ■
18.3 Requirements applicable to all documentation ■ ■ ■

per IEC 750 and IEC 1082-1
18.4 Basic information, minimum information: ■ ■ ■
Electrical supply requirement ■ ■ ■
Handling, transportation and storage ■ ■ ■
Inappropriate use of the equipment ■ ■ ■
18.5 Installation diagram, preliminary work, supply

cables, overcurrent protective devices, ■ ■ ■
foundation, space for removal and servicing,
interconnection diagram
18.6 Block (system) diagrams and function

diagrams, see IEC 1082-1 Section 2 and ■ ■ ■
IEC 1082-2 Section 3
18.7 Circuit diagrams required ■ ■ ■
18.8 Operating manual for set-up and use of the ■ ■ ■

126 equipment required
18.9 Maintenance manual required ■ ■ ■

204-1 Ref.
18.10
19
Part list for spare and replacement parts required
Testing and verification ■

Not
■ ■
■
Approved
■
B
19.1 Product standards apply; if product standard ■ ■ ■
is not available the following tests apply:
Equipment and technical documentation ■ ■ ■

is in agreement
Continuity of the PE circuit ■ ■ ■
Insulation resistance (see 19.3) ■ ■ ■
Dielectric voltage test (see 19.4) ■ ■ ■
Protection against residual voltages (see 19.5) ■ ■ ■
Functional test (see 19.6) ■ ■ ■
19.2 Continuity of the protective bonding circuit: ■ ■ ■
After installation loop impedance test ■ ■ ■

per 6.1.2 of IEC 364-6-61
For small machines, less than 30 m bonding

loop, not connected to the power source, inject ■ ■ ■
10 A from a PELV source and the measured
voltage drop shall not exceed Table 9 values
19.3 Insulation resistance tests: ■ ■ ■
Measured with 500 V d.c. not less than 1MΩ ■ ■ ■
For exception see standard ■ ■ ■
19.4 Dielectric voltage tests between circuits ■ ■ ■

and bonding:
Twice the rated voltage or 1000 V for 1s, ■ ■ ■

for details see standard
19.5 Protection against residual voltages, see 6.2.4 ■ ■ ■

127
19.6 Functional tests related to safety ■ ■ ■
19.7 Retesting after changes or modifications ■ ■ ■

C Appendix C — EHSR (Annex I of the Machinery Directive)
From a control systems perspective, Section 1 of Annex I is probably the most important
part of the EHSR. To give readers an idea of what to expect when reading the EHSRs, this
Appendix notes some of the topics in Section 1.
OBTAINING AND UNDERSTANDING THE COMPLETE EHSRs IS AN ABSOLUTE
REQUIREMENT OF THE LAW. THE FOLLOWING LIST SHOULD NOT BE
CONSTRUED AS COMPLETE OR A SUBSTITUTE FOR THE EHSRs.
ESSENTIAL HEALTH AND SAFETY REQUIREMENTS

(From 89/392/EEC, Annex I — as of September 1997)
1.1 General remarks

1.1.1. Definitions.
1.1.2. Principles of safety integration
(a) Machinery must be so constructed that it is fitted for its function, and can be adjusted
and maintained without putting persons at risk when these operations are carried out
under the conditions foreseen by the manufacturer. The aim of measures taken must be
to eliminate any risk of accident throughout the foreseeable lifetime of the machinery,
including the phases of assembly and dismantling, even where risks of accident arise
from foreseeable abnormal situations.
(b) In selecting the most appropriate methods, the manufacturer must apply the following
principles, in the order given:
- eliminate or reduce risks as far as possible (inherently safe machinery design
and construction),
- take the measures in relations to risks that cannot be eliminated,
- inform users of the residual risks due to any shortcomings of the protection
128
measures adopted, indicate whether any particular training is required and specify
any need to provide personal protection equipment.
(c) When designing and constructing machinery, and when drafting the instructions, the
manufacturer must envisage not only the normal use of the machinery but also uses
which could reasonably be expected. The machinery must be designed to prevent
abnormal use if such use would engender a risk. In other cases the instructions must
draw the user’s attention to ways — which experience has shown might occur — in
C
which the machinery should not be used.
(d) Under the intended conditions of use, the discomfort, fatigue and psychological stress
faced by the operator must be reduced to the minimum possible taking ergonomic
principles into account.
(e) When designing and constructing machinery, the manufacturer must take into account
the constraints to which the operator is subject as a result of the necessary or
foreseeable use of personal protection equipment (such as footwear, gloves, etc.).
(f) Machinery must be supplied with all the essential special equipment and accessories
to enable it to be adjusted, maintained and used without risk.
1.1.3. Materials and products
1.1.4. Lighting
1.1.5. Design of machinery to facilitate its handling
1.2 Controls: Reliability, starting and stopping, energy isolation, control failures
1.2.1. Safety and reliability of control systems
Control systems must be designed and constructed so that they are safe and reliable,
in a way that will prevent a dangerous situation arising. Above all they must be designed
and constructed in such a way that:
- they can withstand the rigors of normal use and external factors,
- errors in logic do not lead to dangerous situations.
1.2.2. Control devices
Control devices must be:
129
- clearly visible and identifiable and appropriately marked where necessary.
C - positioned for safe operation without hesitation or loss of time, and
without ambiguity,
- designed so that the movement of the control is consistent with its effect,
- located outside the danger zones, except for certain controls where necessary,
such as emergency stop, console for training of robots,
- positioned so that their operation cannot cause additional risk,
- designed or protected so that the desired effect, where a risk is involved, cannot
occur without an intentional operation,
- made so as to withstand foreseeable strain; particular attention must be paid
to emergency stop devices liable to be subjected to considerable strain.
1.2.3. Starting
It must be possible to start machinery only by voluntary actuation of a control provided
for the purpose. The same requirement applies:
- when restarting the machinery after a stoppage, whatever the cause,
- when effecting a significant change in the operating conditions (e.g., speed,
pressure, etc.), unless such restarting or change in operating conditions is without
risk to exposed persons.
Where machinery has several starting controls and the operators can therefore put each
other in danger, additional devices (e.g., enabling devices or selectors allowing only one part
of the starting mechanism to be actuated at any one time) must be fitted to rule out such risks.
1.2.4. Stopping device — Normal stopping
Each machine must be fitted with a control whereby the machine can be brought safely
to a complete stop. Each workstation must be fitted with a control to stop some or all of the
moving parts of the machinery, depending on the type of hazard, so that the machinery is
rendered safe. The machinery’s stop control must have priority over the start controls.
Once the machinery or its dangerous parts have stopped, the energy supply to the actuators
130 concerned must be cut off.
Stopping device — Emergency stop
Each machine must be fitted with one or more emergency stop devices to enable actual
or impending danger to be averted.
The stopping device must:
C
- have clearly identifiable, clearly visible and quickly accessible controls,
- stop the dangerous process as quickly as possible, without creating additional hazards,
- where necessary, trigger or permit the triggering of certain safeguard movements.
The stop command must be sustained by engagement of the emergency stop device until
that engagement is specifically overridden; it must not be possible to engage the device without
triggering a stop command; it must be possible to disengage the device only by an appropriate
operation; and disengaging the device must not restart the machinery but only permit restarting.
1.2.5. Mode selection
1.2.6. Failure of the power supply
The interruption, re-establishment after an interruption or fluctuation in whatever manner
of the power supply to the machinery must not lead to a dangerous situation. In particular:
- the machinery must not start unexpectedly,
- the machinery must not be prevented from stopping if the command has already
been given,
- the protection devices must remain fully effective.
1.2.7 Failure of the control circuit
A fault in the control circuit logic, or failure of or damage to the control circuit must
not lead to dangerous situations. In particular:
- the machinery must not start unexpectedly,
- the machinery must not be prevented from stopping if the command has
already been given,
- no moving part of the machinery or piece held by the machinery must fall or be ejected, 131
C 1.2.8.
- automatic or manual stopping of the moving parts wherever they may be must
be unimpeded,
- the protection devices must remain fully effective.
Software
1.3 Protection against mechanical hazards

1.3.1. Stability
1.3.2. Risk of break-up during operation
1.3.3. Risks due to falling or ejected objects
1.3.4. Risks due to surfaces, edges or angles
1.3.5 Risks related to combined machinery
1.3.6. Risks relating to variations in the rotational speed of tools
1.3.7. Prevention of risks related to moving parts
The moving parts of machinery must be designed, built and laid out to avoid hazards or,
where hazards persist, fixed with guards or protective devices in such a way as to prevent all
risk of contact which could lead to accidents.
1.3.8. Choice of protection against risks related to moving parts
Guards or protection devices used to protect against the risks related to moving parts
(such as pulleys, belts, gears, rack and pinions, shafts, etc.) must be selected on the basis
of the type of risk. Fixed or movable guards can be used; movable guards should be used
where frequent access is foreseen.
Guards or protection devices designed to protect exposed persons against the risks
associated with moving parts contributing to the work (such as cutting tools, moving parts
of presses, cylinders, parts in the process of being machined, etc.) must be fixed guards
wherever possible. Otherwise, use movable guards or protection devices such as sensing
devices (e.g., non-material barriers, sensor mats), remote-hold protection devices (e.g., sensing
device, two-hand controls), or protection devices intended automatically to prevent all or part
132
of the operator’s body from encroaching on the danger zone.
1.4
1.4.1.
1.4.2.
Required characteristics of guards and protective devices
General requirements
Special requirements for guards
1.4.2.1. Fixed guards
C
1.4.2.2. Movable guards
1.4.2.3. Adjustable guards restricting access
1.4.3. Special requirements for protection devices
Protection devices must be designed and incorporated into the control system so that:
- moving parts cannot start up while they are within the operator’s reach,
- the exposed person cannot reach moving parts once they have started up,
- they can be adjusted only by means of an intentional action, such as the use
of a tool, key, etc.,
- the absence or failure of one of their components prevents starting or stops
the moving parts.
1.5 Protection against other hazards

1.5.1. Electricity supply
1.5.2. Static electricity
1.5.3. Energy supply other than electricity
1.5.4. Errors of fitting
1.5.5. Extreme temperatures
1.5.6. Fire
1.5.7. Explosion
1.5.8. Noise
1.5.9. Vibration
1.5.10. Radiation 133
C 1.5.11. External radiation
1.5.12. Laser equipment
1.5.13. Emissions of dust, gases, etc.
1.5.14. Risk of being trapped in a machine
1.5.15. Risk of slipping, tripping or falling
1.6 Maintenance
1.6.1. Machinery maintenance
It must be possible to carry out adjustment, maintenance, repair, cleaning and servicing
operations while machinery is at a standstill. If one or more of the above conditions cannot
be satisfied for technical reasons, these operations must be possible without risk.
1.6.2. Access to operating position and servicing points
1.6.3. Isolation of energy sources
1.6.4. Operator intervention
1.6.5. Cleaning of internal parts
1.7 Indicators (warning, marking, instructions)

1.7.0. Information devices
1.7.1. Warning devices
1.7.2. Warning of residual risks
1.7.3. Marking
1.7.4. Instructions
134
Appendix D — Some significant faults and failures
Electrical/electronic components
- short circuit or open circuit; e.g., each fault (short circuit to the protective conductor
or a conductive part), open circuit of any conductor
D
- short circuit or open circuit occurring in single components; e.g., in position switches,
control and regulation equipment, machine actuators, relay contacts
- non drop-out or non pick-up of electromagnetic elements; e.g., contactors, relays,
magnetic valves
- non-starting or non-stopping of motors; e.g., servo motors
- mechanical blocking of moving elements, loosening or displacing of fixed elements;
e.g., position switches
- drift beyond the tolerance values for analogue elements, e.g. resistors, capacitors,
transistors
- oscillation of (unstable) output signals in integrated components
- loss of entire function or of partial functions (worst-case behavior) in complex integrated
components e.g., microprocessors, programmable electronic systems, application-
specific integrated circuits
Hydraulic and pneumatic components

- no switching or incomplete switching of the moving element; e.g., sticking of a
valve piston
- drift in the original control position of the moving element e.g., directional control valves
- leakage and modification of the leakage volume flow; e.g., directional control valves
- unstable control characteristics in servo-valves and proportional valves;
- loss of pressure or bursting of lines; e.g., of hose pipes and at the hose coupling
- clogging of the filter element (in particular caused by solid substances);
135
D - abnormal pressure and/or volume flow; e.g., hydraulic pumps, hydraulic motors,
compressors, cylinders
- failure or abnormal modification of the input or output signal characteristics
in sensors; e.g., pressure switches
Mechanical components
- spring fracture
- stiffness or sticking of guide-moving components
- loosening of fixtures; e.g., by vibration
- wear; e.g., runners, latches, rollers
- misalignment of parts
- environmental influences; e.g., corrosion, temperature
136
Appendix E — Standards and characteristics of safety functions
Reference list of some standards giving requirements for characteristics of safety functions
(as of March 1, 1997)
E
Requirements
Safety Function Additional Information
Characteristic EN EN 292 Further (Not Requirements)
954-1 Standards
Annex A
Part 1 Part 2 Part 2
Definitions 3 3 clause 3 of clause 2 of EN 60335-1
EN 60204-1
Design principles 4.2 3 1.2.1, 1.2.2 9.4 of EN 60204-1 clause 22 of EN 60335- 1,

1.2.7, 1.5.4 cl 5, 6 of EN 775, cl 5
of prEN 1921
Ergonomic principles 4.4 4.9 3.6, 1.2.2 ¶ 1 clause 10 of 6.2 of EN 775,

3.7.8a EN 60204-1 4.6 of prEN 1921
Stop function 5.2 3.7.1 1.2.4 9.2.2, 9.2.5.3 7.12 of EN 60335-1 5.11
3.7.8b 1.3.5 of EN 60204-1 of prEN 1921
Emergency stop 5.3 6.1.1 1.2.4 EN 418, 9.2.5.4 6.4.2, 7.2.5 of EN 775,
function of EN 60204-1 5.11.2 of prEN 1921
Manual reset 5.4 6.1.1 1.2.4 EN 418, 9.2.5.4 6.4.2, 6.4.3, 7.6 of EN
of EN 60204-1 775, 6.4.3 of prEN 1921
Start and restart 5.5 3.7.1 1.2.3, 9.2.1, 9.2.5.1, 9.2.5.2, 6.10, 7.2.5, 7.3.1, 9.3.4
3.7.2 1.3.5 9.2.6 of EN 60204-1 of EN 775
Response time 5.6 3.2, A.3, A.4 of

prEN 999
Safety-related 5.7 3.7.9e 7.1, 9.3.2, 9.3.4 4.2 of EN 775, 11.8 of

parameters of EN 60204-1 EN 60335-1
Local control function 5.8 3.7.9, 3.2.9, 7.2.6 of EN 775,

3.7.10 3.13, 4.5, 5.9, 6.2, of
prEN 1921
Muting 5.9
Manual suspension of 5.10 3.7.10 1.2.5 9.2.4 of EN 60204-1 6.10 of EN 775, 5.8 of
137
safety functions 4.1.4 prEN 1921
E Safety Function
Characteristic
Fluctuations, loss and

EN
954-1
5.11
Part 1 Part 2
3.7.8e
Requirements
EN 292
1.2.6
Annex A
Part 2
Further
Standards
4.3, 7.1, 7.5 of

Additional Information
(Not Requirements)
restoration of 1.5.3 EN 60204-1

power sources
Unexpected start-up 3.7.2 1.2.3, 1.2.6, EN 1037, 5.4 of

1.2.7 EN 60204-1
Indications and alarms 3.6.7 1.2.2, ¶ 4, 6 EN 457, prEN 842, 5.6 of prEN 1921
5.3 1.7.0, 1.7.1 prEN 981, 10.4,
11.3 of EN 60204-1,
EN 60447
Escape and rescue 6.1.2 1.2.2, ¶ 5, 6

of trapped persons
Electrical equipment 3.9 1.5.1, 1.5.7 EN 60204-1
Electrical supply 1.5.1 4.3 of EN 60204-1
Other supply 1.5.3 5.1.4 of EN 982

5.1.4 of EN 983
Covers and enclosures 13.4 of EN 60204-1,

EN 60529
Pneumatic and hydraulic 3.8 1.5.3 EN 982, EN 983

equipment
Isolation and 6.2.2 1.6.3 EN 1037, 5.3, 6.3.1

energy dissipation of EN 60204-1
Physical environment 3.7.11 4.4 of EN 60204-1 6.9 of EN 775, 4.3, 4.5 of

and operating conditions prEN 1921
Control modes and 3.7.9 1.2.5 9.2.3 of EN 60204-1 6.10 of EN 775

mode selection 3.7.10
Interfaces/connections 1.5.4 9.1.4, 11, 15.4 of

1.6.1 ¶ 3 EN 60204-1
Interaction between 3.7.8e 9.3.4 of EN 60204-1

different safety-related
138 parts of control systems
Man-machine interface 3.6.6, 1.2.2 clause 10 of EN

3.6.7 60204-1, EN 60447
Appendix F — Sample DOCs
Words printed in italics are instructions for the person drawing up this declaration and should
be deleted in the actual text of this declaration; this model is to be used for machinery which is
not mentioned in Annex IV of Directive 89/392/EEC. In case of Annex IV-machinery, this model
F
should be amended to account for the special conditions in Annex II of Directive 89/392/EEC.
EC DECLARATION OF CONFORMITY FOR MACHINERY
(Directive 89/392/EEC, Annex II, sub A)
Manufacturer: (business name)
Address:
Herewith declares that
(description of the machinery: make, type, serial number, etc.)
- is in conformity with the provision of the Machinery Directive (Directive 89/392/EEC),

as amended, and with national implementing legislation;
- is in conformity with the provisions of the following other EEC directives (only to be
mentioned where appropriate):
and furthermore declares that

- the following (parts/clauses of) harmonized standards have been applied (only to be
- the following (parts/clauses of) national technical standards and specifications have been
used (only to be mentioned where appropriate):
(place) (date, but only optional) 139
(Signature)
(full name and identification of the person empowered to sign on behalf of the manufacturer)
Please note that this declaration must be drawn up in the same language as the original instructions (see Annex I, Section 1.7.4.b)
and must either be typewritten or handwritten in block capitals. It must be accompanied by a translation in one of the official
languages of the country in which the machinery is to be used. This translation must be done in accordance with the same
conditions as for the translation of the instructions.
F DECLARATION BY THE MANUFACTURE (Variant 1)
(Directive 89/392/EEC, Art. 4.2 and Annex II, sub B)

PROHIBITION TO PUT INTO SERVICE
Address:
- is intended to be incorporated into machinery or to be assembled with other machinery

to constitute machinery covered by Directive 89/392/EEC, as amended;
- does therefore not in every respect comply with the provisions of this directive;
- does comply with the provisions of the following other EEC directives (only to be
and that
and furthermore declares that it is not allowed to put the machinery into service until the
machinery into which it is to be incorporated or of which it is to be a component has been found
and declared to be in conformity with the provisions of Directive 89/392/EEC and with national
140
implementing legislation, i.e. as a whole, including the machinery referred to in this declaration.
(place) (date, but only optional)
(Signature)
DECLARATION BY THE MANUFACTURER (variant 2)
(Directive 89/392/EEC, Art. 4.2 and Annex II, sub B)

PROHIBITION TO PUT INTO SERVICE
F
Address:
- is intended to be incorporated into machinery or to be assembled with other machinery

to constitute machinery covered by Directive 89/392/EEC, as amended;
and that
and that
and furthermore declares that it is not allowed to put the machinery into service until the
machinery into which it is to be incorporated or of which it is to be a component has been found
and declared to be in conformity with the provisions of Directive 89/392/EEC and with national
implementing legislation, i.e. as a whole, including the machinery referred to in this declaration.
(Signature) 141
F EC DECLARATION OF CONFORMITY FOR SAFETY COMPONENTS

PLACED ON THE MARKET SEPARATELY
(Directive 89/392/EEC, Annex II, sub C.)
Address:
which has the following safety function (if not already obvious from the description):
- is in conformity with the provisions of the Machinery directive (Directive 89/392/EEC),

as amended, and with national implementing legislation;
- is in conformity with the provisions of the following other EEC directives (only to be
and furthermore declares that


142
(Signature)
Appendix G — Annex IV equipment
The following types of machinery and safety components may require an EC-type
examination:
Machinery
G
1. Circular saws (single or multi-blade) for working with wood and analogous materials
or for working with meat and analogous materials.
A) Sawing machines with fixed tool during operation, having a fixed bed with manual
feed of the workpiece or with a demountable power feed.
B) Sawing machines with fixed tool during operation, having a manually operated
reciprocating saw-bench or carriage.
C) Sawing machines with fixed tool during operation, having a built-in mechanical feed
device for the workpieces, with manual loading and/or unloading.
D) Sawing machines with movable tool during operation, with a mechanical feed device
and manual loading and/or unloading.
2. Hand-fed surface planing machines for woodworking.
3. Thickeners for one-side dressing with manual loading and/or unloading for woodworking.
4. Band-saws with a fixed or mobile bed and band-saws with a mobile carriage, with manual
loading and/or unloading, for working with wood and analogous materials or for working
with meat and analogous materials.
5. Combined machines of the types referred to in 1 to 4 and 7 for working with wood and
analogous materials.
6. Hand-fed tenoning machines with several tool holders for woodworking.
7. Hand-fed vertical spindle moulding machines for working with wood and analogous materials.
8. Portable chain saws for woodworking.
9. Presses, including press-brakes, for the cold working of metals, with manual loading
and/or unloading, whose movable working parts may have a travel exceeding 6 mm and a 143
speed exceeding 30 mm/s.

G 10. Injection or compression plastics-moulding machines with manual loading or unloading.
11. Injection or compression rubber-moulding machines with manual loading or unloading.
12. Machinery for underground working of the following types:
- machinery on rails: locomotives and brake-vans,
- hydraulic-powered roof supports,
- internal combustion engines to be fitted to machinery for underground working.
13. Manually loaded trucks for the collection of household refuse incorporating a
compression mechanism.
14. Guards and detachable transmission shafts with universal joints
15. Vehicles servicing lifts.
16. Devices for the lifting of persons involving a risk of falling from a vertical height of more
than 3 meters.
17. Machines for the manufacture of pyrotechnics.
Safety components
1. Electrosensitive devices designed specifically to detect persons in order to ensure their
safety (non-material barriers, sensor mats, electromagnetic detectors, etc.).
2. Logic units which ensure the safety functions of bi-manual controls.
3. Automatic movable screens to protect the presses referred to in 9, 10, and 11.
4. Roll-over protective structures.
5. Falling-object protective structures.
144
Appendix H — IEC Style Diagrams from Chapter 5
H
Overload
On/Off
pushbutton
K1 M
Fig. 5.6 Potential category B control circuit.
145
H
E-Stop
Stop
Gate
Interlock
K1
Start
Pusher Controls
K1 M
Overload
Fig. 5.7 Potential category 1 control circuit.

146
E-Stop
H
Stop
Safety
Interlock
Start
K1
K2
Robot Controller
K1 K2 M
Overload
147

H E-Stop
Start
K3
K2
K1
K1 K2 K3 M
Overload

148
The Road Map Understanding the
This handbook provides machine designers, quality assurance managers, sales directors
and others with a road map for understanding the Machinery Directive and CE marking Machinery Directive
process. Its contents include:
• An easy-to-follow introduction to the Machinery Directive and key European Norms
(standards)
• The basic CE marking steps
• Direction to further resources A Road Map to CE Marking and Safety-Related
• Important guidance on risk estimation and assessment Control Product Applications
• A review of safety and safety-related components for control systems
• Answers to frequently asked questions
• Excerpts from selected directives and standards
Most importantly, Understanding the Machinery Directive provides some straight
talk about what the language of the directives and standards really requires.
Publication SHB-900 — September 1997 © 1997 Allen-Bradley Company, Inc. Printed in USA

Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Control

Uploaded by

Copyright:

Available Formats

The Road Map Understanding the

1.0 New laws impact equipment

Chapter 2 — Acronyms? Numbers? Help!

2.0 The European market . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 3 — The Road Map

3.0 Starting out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.7 Annex I — Essential Health and Safety Requirements 29

Chapter 4 — Post Design and Construction Requirements

4.0 So you’ve complied with

Chapter 5 — Safety Category Requirements

5.0 Why include safety and safety-related components? . . 58

Chapter 6 — Safety Concerns for Power-Related Products

6.0 Operational functions . . . . . . . . . . . . . . . . . . . . . . . . . 76

Chapter 7 — Frequently Asked Questions (FAQs)

- Big Picture FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Appendix A — Select Type B standards. . . . . . . . . . . . . . . 104

New laws impact equipment manufacturers and end-users

A global road map

Does the Machinery Directive apply to me?

POWER TRANSMISSION ELEMENTS,

The European market

So what directives should I examine?

Standards to clarify directives

Sources for standards

A Notified Body is a type of

Interpretations may vary

Applying components properly

Familiarization with the basic concepts of machine safety

Examining Type A, B and C standards

Is there a 'C' Type

Yes, but cannot fully comply.

Design and construct in accordance

Verify (test or inspect) that machinery meets

18 Create 'Information for use'

Generate Technical File

Can you self-certify? No

Submit for EC Type Examination

Sign Declaration of Conformity

Familiarization with the basic concepts of machine safety

EN 292 — Basic concepts of machine safety

EN 292-2, Safety of machinery.

Determine the limits of the

Task and hazard identification

(For each hazard related to a task

Is the risk Are additional

Case where the supplier

Can hazard be Can risk be Provide warnings, signs,

Finalize information for use

Determine the application of the

Risk estimation New task added

(For each task) Yes

Is the risk Yes More tasks?

Case where the supplier

User requirements (specific Supplier

HAZARDS GENERATED BY HAZARDS GENERATED BY

Yes Can they be No

- fixed guards, - fixed guards, - fixed guards, (see 4.2.2.2),

Interpreting the Machinery Directive

To clarify the Machinery Directive, the Fédération Européene de la Manutention (FEM, a

The Low Voltage Directive

The Product Liability Directive

Though not the focus of this book,

is defective when it does not provide the safety a